A free Written Information Security Plan (WISP) template structured to IRS Publication 5708 and the FTC Safeguards Rule. Copy it, fill in the blanks, and have the documentation the IRS and your software vendors expect.
Generate Your WISP in 10 Minutes →Generate a compliant WISP in about 10 minutes → — tailored to your practice, ready for PTIN renewal, vendors, or an audit.
Under the Gramm-Leach-Bliley Act (GLBA) and the FTC Safeguards Rule, professional tax preparers are classified as "financial institutions" for data-security purposes and are legally required to maintain a written information security plan. There is no size threshold — a sole proprietor preparing a handful of returns is held to the same standard as a large CPA firm. You also confirm you have a data security plan when you obtain or renew your PTIN. The IRS provides the reference structure in Publication 5708.
The Security Summit's updated guidance added three things worth noting: multi-factor authentication (MFA) is now required, the password-rotation expectation moved to at least every 365 days (no more forced 90-day changes), and you must report a security event to the FTC if 500 or more people are affected. The template below reflects these.
Firm name: [Firm]. Data Security Coordinator: [Name/role]. Plan effective date: [Date]. Last reviewed: [Date]. This WISP covers all personally identifiable information (PII) of clients handled by the firm.
This plan applies to all employees, contractors, and systems that access taxpayer data. [Name] is the designated coordinator responsible for implementing, maintaining, and updating this plan at least annually.
The firm identifies reasonably foreseeable internal and external risks to client data across collection, preparation, storage, transmission, and disposal, and evaluates the safeguards in place to control those risks. Risks are reassessed annually and after significant changes.
Access to client data is limited to staff who need it. Employees complete security awareness training at least annually. Background checks are performed where appropriate. A written incident response procedure is maintained (Section 8).
Multi-factor authentication is enabled on email, tax software, and remote access. Devices use disk encryption, supported operating systems, automatic updates, and endpoint protection. Client data is encrypted in transit and at rest. Passwords are unique, at least 12 characters, stored in a password manager, and changed at least annually or on suspected compromise.
Paper records and devices containing client data are stored in locked locations. Records are securely shredded or wiped when no longer needed. Visitors do not have unsupervised access to areas with client data.
Client data is retained only as long as required and then securely destroyed. Backups are encrypted and tested for restorability.
Suspected incidents are reported immediately to the coordinator. The firm contains, investigates, and documents each incident; notifies the IRS Stakeholder Liaison, the state, and affected clients as required; and reports security events affecting 500 or more people to the FTC.
All staff sign acknowledgment of this plan. The coordinator reviews and updates the WISP at least annually and after any major change or incident. Signatures and dates are retained as evidence of compliance.
Writing the document is the easy 20%. The other 80% — proving every preparer actually completed the annual training, keeping the plan dated and current each season, and producing signed acknowledgments and certificates when a software vendor or the IRS asks — is what causes the last-minute scramble. CompliQuick generates the WISP and runs the training, tracks completion across your team, and issues dated certificates automatically.
Answer a few questions about your practice. Get a professional, IRS-aligned WISP PDF plus annual training, completion tracking, and certificates — ready for PTIN renewal, vendors, or an audit.
Generate Your WISP →This page is general information, not legal advice. Requirements can change — confirm current obligations against IRS Publication 5708 and the FTC Safeguards Rule for your situation.