Is a WISP legally required for a small or solo tax practice?

Yes. The FTC Safeguards Rule (16 CFR Part 314), which implements the Gramm-Leach-Bliley Act, applies to tax and accounting firms of every size because they are treated as 'financial institutions.' There is no small-business exemption from having a security program — solo preparers and Enrolled Agents are covered. A firm with customer information on fewer than 5,000 consumers gets a limited exemption from four specific paragraphs of 314.4, but still needs a written information security program.

Does the IRS require a WISP, or is it the FTC?

The legal requirement comes from the FTC Safeguards Rule under GLBA, not the IRS. The IRS references and reinforces it — Publication 4557 explains safeguarding taxpayer data, Publication 5708 offers a free sample WISP, and Form W-12 asks PTIN holders to confirm awareness of their data-security responsibilities. The Form W-12 item is an awareness attestation, not a certification, and maintaining a real WISP is how responsible firms stand behind it.

Does buying a WISP template make my firm compliant with the Safeguards Rule?

No. No document set alone confers compliance. Compliance comes from designating your Qualified Individual, completing your own risk assessment, implementing the safeguards, training staff, and operating and reviewing the program over time. A template accelerates the documentation — typically the most time-consuming part — but your firm must put the plan into practice and keep it current.

WISP & the FTC Safeguards Rule for Tax and Accounting Firms: The Complete Guide

A WISP (Written Information Security Plan) is the documented information-security program the FTC Safeguards Rule (16 CFR Part 314) requires every tax preparer, CPA, and accounting firm to develop, implement, and maintain. The Rule implements the Gramm-Leach-Bliley Act (GLBA), which treats firms that prepare tax returns as "financial institutions," so the requirement applies to firms of every size, including solo Enrolled Agents. The IRS reinforces it in Publication 4557 and on Form W-12 (PTIN renewal), but the underlying legal obligation comes from the FTC, not the IRS.

What is WISP?

A WISP is a written program — not a single form — that documents how your firm protects customer information. The amended FTC Safeguards Rule (16 CFR 314.4) sets out nine required elements: (a) designate a single Qualified Individual to oversee the program; (b) base it on a risk assessment; (c) design and implement safeguards; (d) regularly test or monitor those safeguards; (e) train staff and keep security personnel current; (f) oversee service providers; (g) evaluate and adjust the program over time; (h) maintain a written incident response plan; and (i) have the Qualified Individual deliver a written report at least annually. Element (c) itself specifies eight safeguards: access controls, an inventory of customer data, encryption of customer information in transit and at rest, secure development and evaluation of applications, multi-factor authentication (MFA), secure disposal, change management, and monitoring and logging of authorized-user activity. Testing under element (d) means continuous monitoring, or — absent that — annual penetration testing plus vulnerability assessments at least every six months. The expanded 314.4 elements have been mandatory since the June 9, 2023 compliance deadline.

Who needs it?

The Safeguards Rule applies to "financial institutions" under GLBA, a definition that expressly includes tax-return preparers, CPAs, accountants, bookkeepers, and Enrolled Agents that handle taxpayer or customer financial information — regardless of headcount or revenue. Solo preparers are not exempt. A firm that maintains customer information concerning fewer than 5,000 consumers qualifies for a limited exemption under 16 CFR 314.6 from four specific paragraphs — the requirement to put the risk assessment in writing (314.4(b)(1)), the penetration-testing-and-vulnerability-assessment cadence (314.4(d)(2)), the written incident response plan (314.4(h)), and the Qualified Individual's annual written report (314.4(i)) — but it still must run a security program with safeguards in place. Form W-12 also includes a data-security item by which PTIN holders confirm awareness of these responsibilities, and a real WISP is how responsible firms stand behind it.

What does WISP readiness cost?

Option	Typical cost	Time to ready
DIY from the IRS sample WISP (Publication 5708)	Free (your time)	2-6 weeks of drafting and tailoring
ComplianceDocs WISP Toolkit for Tax Professionals	$59 (one-time)	An afternoon or two to populate
IT-security consultant or vCISO drafts your WISP	~$1,250-2,750+	3-6 weeks
Managed security / compliance platform (larger multi-office firms)	~$7,000-30,000/yr	1-3 months to onboard

Typical timeline

1. Designate your Qualified Individual — Name one person (an employee, affiliate, or service provider) accountable for the security program, as required by 16 CFR 314.4(a). In a solo practice this is usually the owner.
2. Complete a written risk assessment — Inventory where taxpayer data is created, stored, and transmitted, then identify and score reasonably foreseeable internal and external risks. This drives every safeguard you select under 314.4(b).
3. Design and implement the 314.4(c) safeguards — Document and put in place the eight safeguards — access controls, a customer-data inventory, encryption, secure development and app evaluation, MFA, secure disposal, change management, and monitoring and logging — then establish ongoing testing or monitoring under 314.4(d), tailored to the systems your office actually uses.
4. Train staff and oversee service providers — Run security-awareness training (and log it), and put written due-diligence and contract requirements in place for vendors who touch customer data.
5. Prepare an incident response plan — Build a runbook with the specific IRS, FTC, and state breach-notification steps. Under the FTC notification amendment effective May 13, 2024, report to the FTC, as soon as possible and no later than 30 days after discovery, any notification event involving the unencrypted information of at least 500 consumers.
6. Review annually and report — Reassess risks at least annually and after material changes, evaluate and adjust the program, and have the Qualified Individual deliver the annual written report (314.4(i)) to firm leadership.

How editable templates speed this up

Editable templates collapse the longest part of the work — drafting the plan, the risk-assessment workbook, the training program, the incident runbook, the vendor-oversight policy, and the annual-review procedure — into fill-in-the-blank documents you tailor with your firm's details. The IRS sample WISP (Publication 5708) is free but is essentially a skeleton; a toolkit operationalizes it with the workbooks and logs that show your program is actually running. Templates do not designate your Qualified Individual, perform your risk assessment, or operate the controls for you — your firm must do those — but they get you from a blank page to a working draft in an afternoon instead of weeks.

Recommended WISP toolkits

FTC Safeguards Rule + IRS Pub 4557 (WISP)

WISP Toolkit for Tax Professionals

Complete Written Information Security Plan package for tax preparers, CPAs and accounting firms — FTC Safeguards Rule (16 CFR 314) crosswalk, IRS Pub 4557-aligned policies, risk assessment workbook, training logs and incident response — everything Pub 5708 doesn't operationalize.

$5930% off with codeView toolkit

Frequently asked questions

Is a WISP legally required for a small or solo tax practice?: Yes. The FTC Safeguards Rule (16 CFR Part 314), which implements the Gramm-Leach-Bliley Act, applies to tax and accounting firms of every size because they are treated as 'financial institutions.' There is no small-business exemption from having a security program — solo preparers and Enrolled Agents are covered. A firm with customer information on fewer than 5,000 consumers gets a limited exemption from four specific paragraphs of 314.4, but still needs a written information security program.
What is the 'fewer than 5,000 consumers' exemption in the Safeguards Rule?: Under 16 CFR 314.6, a firm that maintains customer information concerning fewer than 5,000 consumers is exempt from four paragraphs of 314.4: the requirement that the risk assessment be in writing (314.4(b)(1)), the penetration-testing-plus-semiannual-vulnerability-assessment cadence (314.4(d)(2)), the written incident response plan (314.4(h)), and the Qualified Individual's annual written report (314.4(i)). It does not exempt the firm from having a security program, designating a Qualified Individual, implementing safeguards such as encryption and MFA, or training staff.
Does the IRS require a WISP, or is it the FTC?: The legal requirement comes from the FTC Safeguards Rule under GLBA, not the IRS. The IRS references and reinforces it — Publication 4557 explains safeguarding taxpayer data, Publication 5708 offers a free sample WISP, and Form W-12 asks PTIN holders to confirm awareness of their data-security responsibilities. The Form W-12 item is an awareness attestation, not a certification, and maintaining a real WISP is how responsible firms stand behind it.
Does buying a WISP template make my firm compliant with the Safeguards Rule?: No. No document set alone confers compliance. Compliance comes from designating your Qualified Individual, completing your own risk assessment, implementing the safeguards, training staff, and operating and reviewing the program over time. A template accelerates the documentation — typically the most time-consuming part — but your firm must put the plan into practice and keep it current.