← Back to WISP Toolkit for Tax Professionals

Free preview: Written Information Security Plan (WISP)

These are the genuine opening sections of one document from the WISP Toolkit for Tax Professionals (9 documents total). The amber [placeholders] are what you customize — everything else is ready to use.

Written Information Security Plan (WISP)

Purpose. This Written Information Security Plan (WISP) documents how [Firm Name] protects the nonpublic personal information of its tax clients, as required of professional tax preparers under the Gramm-Leach-Bliley Act and the FTC Safeguards Rule, 16 CFR Part 314. It designates the firm's Qualified Individual, summarizes the firm's data inventory and safeguards, and maps each required element of 16 CFR 314.4 to the section and companion document that implements it. This is the master document the firm produces if a client, the IRS, the FTC, an insurer, or another examiner asks to see its written information security plan.

Plan Statement and Legal Basis

[Firm Name] prepares federal and state tax returns and, in doing so, handles some of the most sensitive personal information a household or small business has: Social Security numbers, income records, bank account and routing numbers, and identity documents. Under the Gramm-Leach-Bliley Act, professional tax preparers are treated as financial institutions, and the FTC Safeguards Rule at 16 CFR Part 314 requires every such firm, regardless of size, to develop, implement, and maintain a written information security plan. This document is that plan.

The IRS reinforces this requirement in Publication 4557 (Safeguarding Taxpayer Data) and Publication 5708 (Creating a Written Information Security Plan for your Tax and Accounting Practice), and Form W-12, the PTIN application and renewal, includes a Data Security Responsibilities item (Line 11) by which the preparer confirms awareness of the legal requirement to create and maintain a written information security plan. That item is an awareness attestation; this plan is the substance behind it. Failure to maintain required safeguards can expose the firm to FTC enforcement, with penalties that are substantial and assessed on a per-violation basis, as well as to IRS sanctions affecting the firm's EFIN and to liability under state breach laws.

Firm Information

The Qualified Individual verifies the entries in this table at each annual review and whenever the firm changes its name, location, ownership, EFIN, or staffing in a way that affects this plan.

Designation of the Qualified Individual

As required by 16 CFR 314.4(a), [Firm Name] designates [Qualified Individual Name and Title] as the Qualified Individual responsible for overseeing, implementing, and enforcing this plan. In a firm of this size the Qualified Individual is typically the owner or a senior preparer; technical depth is not required, but authority and accountability are. The Qualified Individual may rely on an outside IT provider or managed security service for technical work, but under the Safeguards Rule the firm retains responsibility for compliance, and the Qualified Individual supervises any such provider as described in the Service Provider Oversight Policy.

[Backup Name and Title] serves as the backup designee and assumes the Qualified Individual's duties during any absence longer than [5] business days, including during tax season.

  • The Qualified Individual maintains this plan and all companion documents and approves all changes to them.
  • The Qualified Individual leads the annual risk assessment and the annual review described in the WISP Annual Review and Update Procedure.
  • The Qualified Individual activates and leads the Data Incident Response Plan when a security event is suspected.
  • The Qualified Individual delivers a written status report on the information security program to the firm's owner or senior management at least annually.
  • The Qualified Individual confirms, before each filing season, that all staff, including seasonal staff, have completed the Security Awareness Training Program.

Risk Assessment

The Qualified Individual conducts and documents a risk assessment at least annually and whenever the firm makes a material change to its systems, software, staffing model, or office locations. The assessment identifies where client information lives (the data inventory below), the reasonably foreseeable threats to it, the likelihood and impact of those threats, and the sufficiency of current safeguards. Threats considered include phishing and EFIN or PTIN credential theft, ransomware, theft or loss of laptops and paper files, insider misuse, fraudulent e-file activity, and failures by service providers such as tax software vendors, portals, and IT support.

Under 16 CFR 314.6, a firm that maintains information on fewer than 5,000 consumers is exempt from certain elements of the rule, including the requirement that the risk assessment be in writing. [Firm Name] documents its risk assessment in writing anyway, because a written assessment is inexpensive, makes the annual review faster, and is the strongest evidence of diligence if the firm's practices are ever examined. The written assessment is retained for at least [6] years.

— Preview ends. The full document continues with 8 more documents in the toolkit. —

Get the full toolkit — $59

More free previews

See real opening sections from our other compliance toolkits before you buy:

← Browse all compliance toolkits

Professional editable templates — general information only, not legal, audit, tax, or certification advice, and no professional or advisory relationship is created. No purchase makes an organization compliant or certified. Review each document with qualified counsel, your compliance professional, or your auditor before relying on it. ISO, IEC, SOC 2, AICPA, HIPAA, NIST, GDPR, the EU AI Act, IRS and FTC are referenced descriptively only; ComplianceDocs (ExpertEngine LLC) is independent and is not affiliated with, endorsed by, or certified by any standards body, regulator, or audit firm.