How to Write a WISP (FTC Safeguards Rule), Step by Step

A WISP is the written information security plan the FTC Safeguards Rule requires of tax and accounting firms. Here is what it must contain, how to draft one section by section, and why writing it is only half the job.

What a WISP is, and who is actually required to have one

A WISP — a Written Information Security Plan — is the documented information-security program that the FTC Safeguards Rule (16 CFR Part 314) requires a firm to develop, implement, and maintain. The Rule implements the Gramm-Leach-Bliley Act (GLBA), which sweeps in a broad set of "financial institutions." That definition expressly includes tax-return preparers, CPAs, accountants, bookkeepers, and Enrolled Agents who handle taxpayer or customer financial information. The obligation does not scale with headcount: a solo preparer working from a home office is as covered as a multi-office firm.

The legal requirement comes from the FTC, not the IRS — but the IRS reinforces it where tax professionals will see it. IRS Publication 4557 (Safeguarding Taxpayer Data) explains the duty, Publication 5708 offers a free sample WISP, and the Form W-12 PTIN application and renewal includes a data-security item by which the preparer confirms awareness of the obligation to maintain a written security plan. That item is an awareness attestation, not a certification or proof of compliance; a real, operating WISP is what stands behind it.

It helps to be precise about what a WISP is not. It is not a single form you sign once, and it is not your antivirus subscription. It is a written program describing where customer information lives, the safeguards protecting it, who is accountable, and how the firm keeps the program current. The amended Safeguards Rule has set out the specific contents of that program since the June 9, 2023 compliance deadline.

The elements the amended Safeguards Rule requires

The amended Rule (16 CFR 314.4) lists nine program-level elements. Your WISP should address each one: designate a single Qualified Individual to oversee the program; base the program on a written risk assessment; design and implement safeguards to control the risks you identified; regularly test or monitor those safeguards; train staff and keep security personnel current; oversee your service providers; evaluate and adjust the program as circumstances change; maintain a written incident response plan; and have the Qualified Individual report in writing to leadership at least annually.

One of those elements — the safeguards in 314.4(c) — expands into eight specific controls, and these are where most of the technical work lives. They are: access controls (least privilege, unique logins); an inventory and classification of the customer data you hold and where it flows; encryption of customer information both at rest and in transit; multi-factor authentication for users; secure development and evaluation of any apps you build or use; secure disposal of records you no longer need; change management before new systems touch customer data; and logging and monitoring of authorized-user activity. Keep the two layers distinct in your own head: the Qualified Individual, risk assessment, incident response plan, and annual report are top-level program elements, while encryption, MFA, disposal, change management, and logging are the safeguards inside element (c).

There is a meaningful relief valve for small firms. Under 16 CFR 314.6, a firm that maintains customer information concerning fewer than 5,000 consumers is exempt from four specific paragraphs: the requirement that the risk assessment be in writing, the continuous-monitoring-or-penetration-testing cadence, the written incident response plan, and the Qualified Individual's annual written report. That is an exemption from four paragraphs — not from the Rule, and not from running a security program with the core safeguards in place. Many small firms still document all four anyway, because the writing is cheap and it is the strongest evidence of diligence if a client, insurer, or examiner ever asks.

A step-by-step process for drafting the plan

Start by designating your Qualified Individual. Name one accountable person — in a solo or small practice this is usually the owner or a senior preparer. Technical depth is not required; authority and accountability are. The firm can lean on an outside IT provider for the technical work, but it cannot outsource responsibility for the program. Then complete a risk assessment: inventory where customer information is created, stored, and transmitted, and identify the reasonably foreseeable threats to it — phishing, credential theft, ransomware, lost devices, insider misuse, and service-provider failures.

With the risks named, document the 314.4(c) safeguards as concrete operating rules rather than aspirations. For each safeguard, write down the rule, the role responsible, and how often it is verified — for example, "MFA is required on tax software, email, the portal, and remote access; the Qualified Individual confirms quarterly that it remains enabled." Build the companion pieces the Rule expects around that core: a staff training program with a completion log, a service-provider oversight policy with a vendor inventory, a records retention and disposal policy, and a written incident response plan.

Finish with the governance layer that keeps the plan alive. Define how the program is tested or monitored, how it is reviewed and adjusted (at least annually and after any material change), and how the Qualified Individual delivers the annual written report to leadership. A crosswalk table that maps each 314.4 element to the section and companion document that implements it makes the plan easy to follow and easy to demonstrate. The order matters: the risk assessment should drive the safeguards you choose, not the other way around.

Writing the plan is not the same as operating it

This is the point that catches firms out, so it deserves to be said plainly: a beautifully written WISP that nobody operates does not protect a single Social Security number, and it does not satisfy the Safeguards Rule. The Rule requires a program that is developed, implemented, and maintained. A document sitting in a folder is the development half; implementation and maintenance are where compliance actually comes from.

Operating the plan means doing the things the plan describes and keeping the proof. MFA has to be turned on, not just promised. Access for departing staff has to be disabled, not just policy. Training has to be delivered and the roster kept. Backups have to be tested. The Qualified Individual has to actually run the annual review and write the report. These artifacts — logs, rosters, review notes, the written report — are what show an examiner, an insurer, or a court that the program is real. The plan tells you what to do; the evidence shows you did it.

So treat the written WISP as the starting line, not the finish line. The most common failure mode is not a missing document — it is a strong document that drifts out of date because the firm changed software, added staff, or moved offices without revisiting the plan. Schedule the review, keep the evidence, and the plan stays true to what your firm actually does.

The ongoing duties: people, vendors, incidents, and reporting

Several Safeguards Rule elements are not one-time drafting tasks at all — they are recurring obligations the WISP simply documents. Staff training is the clearest example: new and seasonal staff should be trained before they touch customer data, and everyone should refresh at least annually, with the completion logged. For a tax office, that training should target the threats most likely to hit it, such as IRS-impersonation phishing and requests to redirect refunds.

Service-provider oversight is another standing duty. Under 314.4(f), you select providers capable of maintaining appropriate safeguards, require those safeguards by contract or accepted terms, and periodically reassess them. Higher-risk vendors that store or process customer tax data warrant closer and more frequent review than low-risk ones. Your incident response plan also has to reflect current obligations: under the FTC's notification amendment effective May 13, 2024, a firm must notify the FTC as soon as possible and no later than 30 days after discovering a security event involving the unencrypted customer information of at least 500 consumers, on top of any IRS Stakeholder Liaison contact and state breach-notification duties.

Finally, reporting closes the loop. The Qualified Individual delivers a written report to firm leadership at least annually — covering program status, material risks, testing results, incidents and responses, and recommended changes. In a small firm that report can run a page, but it is the paper trail that proves the program is governed rather than abandoned.

Where editable templates fit — and where they stop

The longest part of building a WISP is drafting: the master plan, the risk-assessment workbook, the data-security policy, the training program, the vendor-oversight policy, the records-disposal policy, the incident runbook, and the annual-review procedure. The IRS sample WISP in Publication 5708 is free, but it is essentially a skeleton — it does not give you the workbooks and logs that show a program is actually running. This is the layer where editable templates earn their keep, turning a blank page into a tailorable draft.

The ComplianceDocs WISP Toolkit for Tax Professionals sits squarely in this documentation layer. It provides the WISP master document with a 16 CFR 314.4 crosswalk, the supporting policies, a risk register, training and evidence checklists, and an annual-review procedure — all editable, and aligned to IRS Publication 4557. It is a one-time list price of $59, and a realistic firm can populate it in an afternoon or two rather than spending weeks drafting from scratch. Those time figures are illustrative estimates, not quotes; the actual effort varies with your systems and staffing.

Be clear-eyed about the boundary. A toolkit does not designate your Qualified Individual, perform your risk assessment, turn on your MFA, or operate any control — and no document set makes a firm "Safeguards-Rule compliant" on its own. Compliance comes from implementing and maintaining the program. What good documentation buys you is speed to a working draft and a structure you can keep current, so the energy you would have spent on a blank page goes into operating the plan instead.

Frequently asked questions

Is a WISP legally required for a small or solo tax practice?

Yes. The FTC Safeguards Rule (16 CFR Part 314), which implements the Gramm-Leach-Bliley Act, applies to tax and accounting firms of every size because they are treated as financial institutions. There is no small-business exemption from having a security program, so solo preparers and Enrolled Agents are covered. A firm that maintains customer information on fewer than 5,000 consumers gets a limited exemption from four specific paragraphs of 16 CFR 314.4, but it still must develop, implement, and maintain a written security program with the core safeguards in place.

Does the IRS require a WISP, or is it the FTC?

The legal requirement comes from the FTC Safeguards Rule under GLBA, not the IRS. The IRS references and reinforces it: Publication 4557 explains safeguarding taxpayer data, Publication 5708 offers a free sample WISP, and the Form W-12 PTIN application and renewal asks preparers to confirm awareness of their data-security responsibilities. That Form W-12 item is an awareness attestation, not a certification of compliance, and maintaining a real, operating WISP is how responsible firms stand behind it.

What is the difference between the 314.4 elements and the 314.4(c) safeguards?

Section 314.4 lists nine program-level elements: a Qualified Individual, a risk assessment, safeguards, regular testing, training, service-provider oversight, evaluation and adjustment, a written incident response plan, and annual reporting. The safeguards element, 314.4(c), then expands into eight specific controls: access controls, a data inventory, encryption at rest and in transit, multi-factor authentication, secure development and app evaluation, secure disposal, change management, and logging and monitoring. Keep the layers distinct — encryption and MFA are controls inside element (c), not standalone elements of their own.

Does buying a WISP template make my firm compliant with the Safeguards Rule?

No. No document set alone confers compliance. Compliance comes from designating your Qualified Individual, completing your own risk assessment, implementing the safeguards, training staff, and operating and reviewing the program over time. A template accelerates the documentation — usually the most time-consuming part — but your firm must put the plan into practice and keep the evidence that shows it is running. Writing the plan and operating it are two different things, and only the second satisfies the Rule.

How often does a WISP need to be reviewed and reported on?

The Qualified Individual should evaluate and adjust the program at least annually, and additionally after any security incident, material system change, office move, or change in staffing model. Separately, the Qualified Individual delivers a written report on the program to firm leadership at least annually, covering program status, material risks, testing results, incidents, and recommended changes. Firms with information on fewer than 5,000 consumers are technically exempt from the written-report paragraph, but producing the report anyway creates the paper trail that demonstrates the program is governed and current.

Related guides: WISP

Toolkits that help

← All articles