The WISP Starter Checklist for Tax Preparers

A free, practical path to a Written Information Security Plan (WISP) in 8 steps. Every US tax and accounting firm — including solo preparers — must maintain a WISP under the FTC Safeguards Rule (16 CFR Part 314), and PTIN renewal (Form W-12) asks you to confirm you have one. This checklist walks you through what the plan must contain.

Who this is for: tax preparers, EAs, CPAs, bookkeepers and small accounting firms who need a WISP to satisfy the FTC Safeguards Rule and IRS Publications 4557 and 5708.

Honest note: this is a free step-by-step checklist — a roadmap, not a fill-in document. Working through it does not by itself make your firm compliant; the Safeguards Rule is met by actually designating a Qualified Individual, assessing your risks and operating the safeguards. If you want the editable plan and companion policies to fill in, that is our paid toolkit below.

Step 1Designate a Qualified Individual (16 CFR 314.4(a))

The Rule requires one named person accountable for the security program — the first thing an examiner or the IRS looks for.

  • Name one person responsible for overseeing and enforcing the WISP (they need not be a security expert)
  • Record the appointment in writing, with their authority and reporting line
  • If you outsource IT/security, you still designate an internal Qualified Individual to own the relationship

Step 2Document a written risk assessment (16 CFR 314.4(b))

The whole plan is built on identifying where client data (names, SSNs, financial records) is exposed.

  • Inventory the client information you collect, and where it is stored, processed and transmitted
  • Identify internal and external risks to the confidentiality, integrity and availability of that data
  • Assess how your current safeguards address each risk, and write it down
  • Note: firms holding information on fewer than 5,000 consumers are exempt from the *written* assessment (314.6) — but still must address the risks

Step 3Implement the required safeguards (16 CFR 314.4(c))

These are the specific controls the Rule names — the substance of the plan.

  • Access controls: limit client-data access to who needs it; review access regularly
  • Encryption of client information at rest and in transit (or an approved compensating control)
  • Multi-factor authentication for anyone accessing client information systems
  • Secure disposal of client information no longer needed (and a data-retention policy)
  • Change management and an inventory of systems that hold client data
  • Logging and monitoring of authorized user activity

Step 4Test and monitor your safeguards (16 CFR 314.4(d))

Controls that are never tested are the ones that fail during an incident.

  • Adopt continuous monitoring, OR run annual penetration testing plus vulnerability assessments at least every six months
  • Track and remediate the findings
  • Smaller firms (under 5,000 consumers) are exempt from this specific testing cadence but should still monitor

Step 5Train your team (16 CFR 314.4(e))

Most tax-data breaches start with a person — phishing, a weak password, a mis-sent return.

  • Deliver security-awareness training to everyone who touches client data
  • Cover phishing, safe handling of returns and SSNs, and your own WISP rules
  • Keep dated training records as evidence

Step 6Oversee your service providers (16 CFR 314.4(f))

Your responsibility for client data does not end at your software vendor or cloud host.

  • List the providers that store or process client data (tax software, cloud storage, email, shredding)
  • Confirm they are capable of appropriate safeguards before you engage them
  • Require those safeguards by contract, and periodically reassess

Step 7Write an incident response plan (16 CFR 314.4(h))

When client data is exposed, the IRS and FTC expect a defined, written response — and tax preparers have specific reporting duties.

  • Document the steps to detect, contain and recover from a security event
  • Include who to notify — clients, your IRS Stakeholder Liaison, the FTC, and state authorities
  • Assign roles and keep the plan somewhere reachable during an incident
  • Under 5,000 consumers: the *written* IR plan is not mandated (314.6), but having one is strongly advised

Step 8Keep it current and report to leadership (16 CFR 314.4(g), (i))

A WISP is a living document — the Rule requires it to keep pace with your practice, and PTIN renewal asks you to confirm you maintain one.

  • Review and update the WISP at least annually, and after any material change
  • Have the Qualified Individual report on the program to firm leadership at least annually
  • Retain your dated WISP — Form W-12 / PTIN renewal asks you to confirm you have a data security plan (see IRS Publications 4557 and 5708)

Skip the blank page — get the editable WISP

The WISP Toolkit for Tax Professionals gives you the Written Information Security Plan itself plus the companion documents behind this checklist — the risk-assessment workbook, security-awareness training program, incident response plan, service-provider oversight policy, and records-retention policy — in editable Microsoft Word and Excel. You designate your Qualified Individual and complete the risk assessment; the plan and policies are built for exactly that. Instant download, 9 documents, $59 ($41.30 — 30% off auto-applied through July 31, 2026).

View the WISP Toolkit

Want the background? Read common compliance questions answered, browse compliance terms in the glossary, or see all free resources.

Professional editable templates and general information — not legal or tax advice, and not a guarantee of compliance. The FTC Safeguards Rule, IRS and PTIN requirements are referenced descriptively; ComplianceDocs is not affiliated with the FTC or the IRS. A product of ExpertEngine LLC.

Professional editable templates — general information only, not legal, audit, tax, or certification advice, and no professional or advisory relationship is created. No purchase makes an organization compliant or certified. Review each document with qualified counsel, your compliance professional, or your auditor before relying on it. ISO, IEC, SOC 2, AICPA, HIPAA, NIST, GDPR, the EU AI Act, IRS and FTC are referenced descriptively only; ComplianceDocs (ExpertEngine LLC) is independent and is not affiliated with, endorsed by, or certified by any standards body, regulator, or audit firm.