The WISP Starter Checklist for Tax Preparers
A free, practical path to a Written Information Security Plan (WISP) in 8 steps. Every US tax and accounting firm — including solo preparers — must maintain a WISP under the FTC Safeguards Rule (16 CFR Part 314), and PTIN renewal (Form W-12) asks you to confirm you have one. This checklist walks you through what the plan must contain.
Who this is for: tax preparers, EAs, CPAs, bookkeepers and small accounting firms who need a WISP to satisfy the FTC Safeguards Rule and IRS Publications 4557 and 5708.
Honest note: this is a free step-by-step checklist — a roadmap, not a fill-in document. Working through it does not by itself make your firm compliant; the Safeguards Rule is met by actually designating a Qualified Individual, assessing your risks and operating the safeguards. If you want the editable plan and companion policies to fill in, that is our paid toolkit below.
Step 1 — Designate a Qualified Individual (16 CFR 314.4(a))
The Rule requires one named person accountable for the security program — the first thing an examiner or the IRS looks for.
- Name one person responsible for overseeing and enforcing the WISP (they need not be a security expert)
- Record the appointment in writing, with their authority and reporting line
- If you outsource IT/security, you still designate an internal Qualified Individual to own the relationship
Step 2 — Document a written risk assessment (16 CFR 314.4(b))
The whole plan is built on identifying where client data (names, SSNs, financial records) is exposed.
- Inventory the client information you collect, and where it is stored, processed and transmitted
- Identify internal and external risks to the confidentiality, integrity and availability of that data
- Assess how your current safeguards address each risk, and write it down
- Note: firms holding information on fewer than 5,000 consumers are exempt from the *written* assessment (314.6) — but still must address the risks
Step 3 — Implement the required safeguards (16 CFR 314.4(c))
These are the specific controls the Rule names — the substance of the plan.
- Access controls: limit client-data access to who needs it; review access regularly
- Encryption of client information at rest and in transit (or an approved compensating control)
- Multi-factor authentication for anyone accessing client information systems
- Secure disposal of client information no longer needed (and a data-retention policy)
- Change management and an inventory of systems that hold client data
- Logging and monitoring of authorized user activity
Step 4 — Test and monitor your safeguards (16 CFR 314.4(d))
Controls that are never tested are the ones that fail during an incident.
- Adopt continuous monitoring, OR run annual penetration testing plus vulnerability assessments at least every six months
- Track and remediate the findings
- Smaller firms (under 5,000 consumers) are exempt from this specific testing cadence but should still monitor
Step 5 — Train your team (16 CFR 314.4(e))
Most tax-data breaches start with a person — phishing, a weak password, a mis-sent return.
- Deliver security-awareness training to everyone who touches client data
- Cover phishing, safe handling of returns and SSNs, and your own WISP rules
- Keep dated training records as evidence
Step 6 — Oversee your service providers (16 CFR 314.4(f))
Your responsibility for client data does not end at your software vendor or cloud host.
- List the providers that store or process client data (tax software, cloud storage, email, shredding)
- Confirm they are capable of appropriate safeguards before you engage them
- Require those safeguards by contract, and periodically reassess
Step 7 — Write an incident response plan (16 CFR 314.4(h))
When client data is exposed, the IRS and FTC expect a defined, written response — and tax preparers have specific reporting duties.
- Document the steps to detect, contain and recover from a security event
- Include who to notify — clients, your IRS Stakeholder Liaison, the FTC, and state authorities
- Assign roles and keep the plan somewhere reachable during an incident
- Under 5,000 consumers: the *written* IR plan is not mandated (314.6), but having one is strongly advised
Step 8 — Keep it current and report to leadership (16 CFR 314.4(g), (i))
A WISP is a living document — the Rule requires it to keep pace with your practice, and PTIN renewal asks you to confirm you maintain one.
- Review and update the WISP at least annually, and after any material change
- Have the Qualified Individual report on the program to firm leadership at least annually
- Retain your dated WISP — Form W-12 / PTIN renewal asks you to confirm you have a data security plan (see IRS Publications 4557 and 5708)
Skip the blank page — get the editable WISP
The WISP Toolkit for Tax Professionals gives you the Written Information Security Plan itself plus the companion documents behind this checklist — the risk-assessment workbook, security-awareness training program, incident response plan, service-provider oversight policy, and records-retention policy — in editable Microsoft Word and Excel. You designate your Qualified Individual and complete the risk assessment; the plan and policies are built for exactly that. Instant download, 9 documents, $59 ($41.30 — 30% off auto-applied through July 31, 2026).
Want the background? Read common compliance questions answered, browse compliance terms in the glossary, or see all free resources.
Professional editable templates and general information — not legal or tax advice, and not a guarantee of compliance. The FTC Safeguards Rule, IRS and PTIN requirements are referenced descriptively; ComplianceDocs is not affiliated with the FTC or the IRS. A product of ExpertEngine LLC.
