Where can I get a WISP template for my tax practice?

Start with the free official option: IRS Publication 5708 includes a sample WISP template aimed at sole proprietors and small practices — download it from irs.gov. If your firm has employees, cloud tax software or remote staff and needs a fuller plan with a risk-assessment workbook, ComplianceDocs sells an editable WISP toolkit built for tax practices for $59 one-time.

Is the IRS WISP template free?

Yes. IRS Publication 5708 contains a free sample WISP template, created with the Security Summit and aimed at sole proprietors and small tax practices. It is a solid, no-cost starting point that walks through the required elements; larger or more complex firms often extend it with a fuller risk assessment and additional policies.

Do all tax preparers need a WISP?

Yes. The FTC Safeguards Rule (16 CFR Part 314) treats tax preparers, CPAs and accounting firms as financial institutions and requires every one — including solo Enrolled Agents — to maintain a written information security program. The IRS reinforces this in Publication 4557, and at PTIN renewal preparers confirm they are aware of their data-security obligations.

Does having a WISP make my firm compliant with the FTC Safeguards Rule?

No. The written plan is required, but maintaining the document is not the same as compliance. You must actually perform the risk assessment, implement and operate the safeguards the plan describes, designate someone responsible, and review the program over time. The WISP supports compliance; the firm operating its safeguards is what achieves it.

What is the difference between IRS Pub 4557 and Pub 5708?

IRS Publication 4557, "Safeguarding Taxpayer Data," is the IRS guidance that explains a tax professional’s data-protection obligations. IRS Publication 5708 is the companion that contains an actual sample WISP template you can fill in. Use 4557 to understand what is required and 5708 as a free starting document.

WISP Template for Tax Preparers (2026): The Free IRS Option and Paid Toolkits

Every tax and accounting firm that handles client financial data must maintain a Written Information Security Plan (WISP) under the FTC Safeguards Rule (16 CFR Part 314), which implements the Gramm-Leach-Bliley Act — and at PTIN renewal the IRS asks preparers to confirm they are aware of this data-security obligation. You have three routes to a WISP document: the free sample template in IRS Publication 5708, free vendor templates, and paid editable toolkits built for tax firms. This guide compares them honestly. Up front: a written plan is required, but the document by itself does not make a firm compliant — you have to operate the safeguards it describes.

Who needs a WISP, and what the rule actually requires

Under the FTC Safeguards Rule (16 CFR Part 314), which implements the Gramm-Leach-Bliley Act, tax preparers, CPAs and accounting firms count as "financial institutions" and must develop, implement and maintain a written information security program — the WISP. It applies to firms of every size, including solo Enrolled Agents and one-person shops; there is no small-firm exemption. IRS Publication 4557, "Safeguarding Taxpayer Data," is the IRS guidance that points preparers to this obligation, and at PTIN renewal (Form W-12) the IRS asks preparers to confirm they are aware of their obligation to have a data security plan. The rule expects specific elements: a designated person responsible for the program, a written risk assessment, safeguards to control the identified risks, and periodic review. A template gives you a structured starting point for the document; it cannot do the risk assessment or operate the safeguards for you.

Start with the free option: IRS Publication 5708

The honest first stop is free and official. IRS Publication 5708 includes a sample WISP template written for the Security Summit’s "Protecting Taxpayer Data" effort, aimed at sole proprietors and small practices. It is genuinely useful: it walks through the required elements and gives you fill-in sections, at no cost, from the source the IRS itself points to. Its limits are equally honest — it is a lean sample built for the smallest firms, so a multi-employee practice, a firm with cloud software and remote staff, or one that wants mapped risk-assessment workbooks and ready-to-use policies usually needs to extend it. Download Pub 5708 from irs.gov first; if it covers your firm, you are done for free. If you outgrow it, the paid route below trades money for a more complete, tailored set.

The three routes compared

For the WISP document itself, the routes look like this. The comparison is about the documentation — none of these routes operates your safeguards or makes your firm compliant on its own.

Route	What you get	Cost
IRS Publication 5708 (free sample)	An official fill-in WISP sample aimed at sole proprietors / small practices	$0
Free vendor templates	A single editable WISP document, often gated behind an email signup; quality and depth vary	$0
Paid editable toolkit (tax-firm specific)	A fuller WISP plus a risk-assessment workbook and supporting policies, tailored to tax practices	$59 one-time
Compliance consultant	A custom plan and hands-on implementation help	$1,250+

ComplianceDocs’ $59 is our published one-time price. The consultant figure is an illustrative estimate based on publicly available pricing and varies by scope; it is not a quote. Free options change — confirm current terms at the source.

What to look for in a WISP template

Whether the template is free or paid, judge it against the rule’s elements and your firm’s reality:

Check	Why it matters
Covers the FTC Safeguards elements	The plan should name a responsible person, include a risk assessment, list safeguards, and require periodic review — the elements 16 CFR 314 expects.
Includes a risk-assessment workbook	The written risk assessment is the part most sample documents skip; it is also the part the rule actually requires you to perform.
Editable and tailored to a tax practice	A policy must describe how your firm really handles taxpayer data — generic language that could describe any business is the thing examiners flag.
Fits your firm size and tools	A solo-preparer sample may not address employees, cloud tax software, or remote access; match the template to your actual setup.

A WISP document is necessary but not sufficient: maintaining the written plan does not by itself make a firm FTC Safeguards or IRS-Pub-4557 compliant — you must operate the safeguards and keep the plan current.

Where ComplianceDocs fits

ComplianceDocs is one paid option, and we will say plainly that the free IRS Pub 5708 sample is the right starting point for many solo preparers. The WISP Toolkit for Tax Professionals is $59 as a one-time purchase and is built for firms that have outgrown the sample: it pairs an editable WISP with a risk-assessment workbook and the supporting policies a tax practice with employees, cloud software or remote staff typically needs, in Word and Excel under a single-organization licence, with free previews of the real content. It removes the slowest part — drafting and structuring the plan — but you still perform the risk assessment, implement the safeguards, and review the plan over time. The document supports your compliance; it does not, by itself, make your firm compliant.

Frequently asked questions

Where can I get a WISP template for my tax practice?: Start with the free official option: IRS Publication 5708 includes a sample WISP template aimed at sole proprietors and small practices — download it from irs.gov. If your firm has employees, cloud tax software or remote staff and needs a fuller plan with a risk-assessment workbook, ComplianceDocs sells an editable WISP toolkit built for tax practices for $59 one-time.
Is the IRS WISP template free?: Yes. IRS Publication 5708 contains a free sample WISP template, created with the Security Summit and aimed at sole proprietors and small tax practices. It is a solid, no-cost starting point that walks through the required elements; larger or more complex firms often extend it with a fuller risk assessment and additional policies.
Do all tax preparers need a WISP?: Yes. The FTC Safeguards Rule (16 CFR Part 314) treats tax preparers, CPAs and accounting firms as financial institutions and requires every one — including solo Enrolled Agents — to maintain a written information security program. The IRS reinforces this in Publication 4557, and at PTIN renewal preparers confirm they are aware of their data-security obligations.
Does having a WISP make my firm compliant with the FTC Safeguards Rule?: No. The written plan is required, but maintaining the document is not the same as compliance. You must actually perform the risk assessment, implement and operate the safeguards the plan describes, designate someone responsible, and review the program over time. The WISP supports compliance; the firm operating its safeguards is what achieves it.
What is the difference between IRS Pub 4557 and Pub 5708?: IRS Publication 4557, "Safeguarding Taxpayer Data," is the IRS guidance that explains a tax professional’s data-protection obligations. IRS Publication 5708 is the companion that contains an actual sample WISP template you can fill in. Use 4557 to understand what is required and 5708 as a free starting document.

Related guides: WISP

Toolkits that help

FTC Safeguards Rule + IRS Pub 4557 (WISP)

WISP Toolkit for Tax Professionals

Complete Written Information Security Plan package for tax preparers, CPAs and accounting firms — FTC Safeguards Rule (16 CFR 314) crosswalk, IRS Pub 4557-aligned policies, risk assessment workbook, training logs and incident response — everything Pub 5708 doesn't operationalize.

$5930% off with codeView toolkit

← All articles