safeguardsmonitor.com/irs-publication-5708· printed from the live page · figures carry their own as-of dates
IRS Publication 5708, Section by Section: What It Asks, and What It Leaves You to Decide
Checked against the primary record: July 17, 2026 · Source revision: Pub 5708 (Rev. 8-2024)
The short answer
IRS Publication 5708 is the IRS's free, fill-in template for a Written Information Security Plan (WISP): a 28-page skeleton built for tax and accounting practices, last revised August 2024. The structure is solid, and it is done for you. The blanks are the real work. This page walks both, section by section.
This page walks through IRS Publication 5708, the IRS's WISP template, section by section. It is general information, not legal advice for your specific situation. For that, consult a qualified professional.
What is Publication 5708?
Publication 5708, "Creating a Written Information Security Plan for your Tax & Accounting Practice," is the IRS's official WISP template: a fill-in sample plan a tax firm adapts and signs. The current revision is August 2024, released through the Security Summit and described by the IRS as a 28-page template developed "by and for tax and industry professionals" (IR-2024-208, August 13, 2024). It is free and public, and you can download it straight from the IRS.
The document is honest about its own limits, and the honesty is worth quoting. It provides "sample information," in its own words. It warns: "There is no one-size-fits-all WISP. For example, a sole practitioner can use a more abbreviated and simplified plan than a 10-partner accounting firm." And it states that it is not "intended to replace your own research, to create reliance or serve as a substitute for developing your own plan based upon the specific needs and requirements of your business or firm." Read that as the IRS telling you where the template ends: the skeleton is supplied, and the plan is still yours to make.
One distinction keeps every later decision straight: the template is not the requirement. The legal duty to hold a written plan comes from the FTC Safeguards Rule, which reaches tax preparation firms by name. Using Publication 5708 to satisfy that duty is optional and common; holding the written program is not optional. If you want the requirement itself mapped first, who imposes it and through what machinery, start with the WISP requirement guide and come back with the template open.
In June 2025 the duty grew a professional-responsibility edge. The IRS Office of Professional Responsibility devoted a bulletin to the WISP, aimed at the practitioners Circular 230 covers: attorneys, CPAs, enrolled agents, enrolled retirement plan agents, and participants in the IRS's voluntary Annual Filing Season Program. Its consequence paragraph rewards a careful read:
Primary record
Failure to maintain a WISP to protect private financial and personal information may not only put clients at risk for identity theft and fraud committed against them, it may also expose a practitioner to liability for violating the Safeguards Rule and the terms of their malpractice insurance coverage. In addition, it could subject a practitioner, in circumstances of willfulness, to discipline under Circular 230.
OPR Issue 2025-8, June 9, 2025 · Verified July 17, 2026
Read it with the qualifiers intact, because they are the honest part: "may" expose, "could" subject, and only "in circumstances of willfulness." The bulletin grounds the duty in two Circular 230 standards. Section 10.35 is competence, "a practitioner must possess the necessary competence to engage in practice," and section 10.36 obliges practitioners with principal authority to keep "adequate procedures" in place for the firm's compliance. It also names a quieter exposure: the terms of your malpractice insurance coverage. None of this says a missing template gets a practitioner disciplined tomorrow. It says the duty now sits inside professional responsibility as well as consumer-protection law. What enforcement can actually cost, figure by figure with sources, is documented on the penalties page; this page stays with the document.
What does each section of the template ask?
The sample WISP inside Publication 5708 runs seven numbered sections, with six lettered attachments at the back doing the working-document duty (a four-page added-detail block sits between them). Here is the whole map: what each part asks of you, what it deliberately leaves blank, and where the answer comes from. The rule references point at 16 CFR 314.4, the element list every program must include, and the bracketed fields, like the template's own "Your Firm Name Here" and "Employee's Name," are each a decision, not a formality.
| Section | What it asks | What it leaves blank | Where the answer comes from |
|---|---|---|---|
| I. Objective | State what the plan protects and commits to. | Your firm's name, and the commitment in its voice. | Sample text, lightly adapted. |
| II. Purpose | Say why the plan exists: protecting the personally identifiable information (PII) the firm holds. | Little; the sample text can stand with light edits. | Sample text. |
| III. Scope | Define what the plan covers. | Which offices, service lines, systems, and data stores are inside the plan. | Your firm's actual footprint. |
| IV. Identified Responsible Officials | Name who runs the program. | The Data Security Coordinator (the rule's Qualified Individual) and a Public Information Officer, by name. | An owner decision; 16 CFR 314.4(a). |
| V. Inside the Firm Risk Mitigation | Four policies: PII collection and retention, personnel accountability, PII disclosure, reportable events. | What you collect, how long you keep it, who may see it, what triggers a report, and the annual review date (the review commitment sits here, in the disclosure policy). | Your data practices, against 16 CFR 314.4(c). |
| VI. Outside the Firm Risk Mitigation | Seven policies: network protection, user access control, electronic exchange of PII, Wi-Fi, remote access, connected devices, security training. | Password and MFA setup, the encryption method for sending PII, whether remote access is allowed at all, device rules, the training calendar. | Your systems, against 16 CFR 314.4(c) and Publication 4557. |
| VII. Implementation | Put the plan into force. | The effective date and two signatures: principal and Data Security Coordinator. | The owners' pens; the clause is the publication's own. |
| Attachments A to F | The working forms: record retention, rules of conduct, breach procedures and notification contacts, employee acknowledgment, hardware inventory, authorized-access list. | The retention years, the named contacts, the signatures, and every inventory row. | Your records, filled in and kept current. |
Two structural notes the outline hides. The template's guidance brackets the sample plan rather than preceding it: "Getting Started on your WISP" walks the prep before the sample, the added-detail block unpacks each section after it, and the back matter carries a glossary and resource links. Skim those early; they answer beginner questions you would otherwise search for. And the IRS sample calls your program lead the Data Security Coordinator, while the rule that requires the program calls the same person the Qualified Individual. One role, two names. Write one name into Section IV and that confusion ends there.
What does the template deliberately leave blank?
Line the blanks up and a pattern shows: every one is a decision only your firm can make. Who answers for the program, by name (Section IV). What data you actually hold, on which machines, touched by which people (the Scope plus Attachments E and F). How long client records live and how they are destroyed (Attachment A's retention years and the disposal method). Whether remote access exists at all, and behind what authentication (Section VI). Which third parties touch client data. And the annual review date you will actually honor, whose blank sits inside Section V's disclosure policy rather than anywhere you would think to look. The IRS could not fill these in without writing your firm's plan for it, which is exactly what the publication tells you it is not doing.
None of that is a flaw, and this page will not pretend the free document is secretly bad. The skeleton is real work you do not have to redo. What a copied-but-unfilled template cannot do is meet the duty: the rule asks for your program, not the IRS's sample text, and a plan with someone else's blanks still in it is paper. The blanks are where the plan becomes yours.
One market note before the writing starts, because the search results will put it in front of you. A ring of exact-match template domains sells fillable versions of this free document, pitched against the copy-and-paste work this page just walked. In the member we checked at page depth on July 17, 2026, the operator named in the footer is a payments-processing company, no disclaimer of any kind appears, and the sales language promises an audit-ready, compliant document, which is a promise no template can keep. We are not selling you a different skeleton. The primary document is linked above, our own adaptation of it is free with no email wall, and the decisions stay yours either way.
How long does it actually take?
No IRS time figure exists, so the honest answer is a labeled estimate, and here is ours. The basis: the count of fill-in decisions per section, assuming you are documenting systems you already run rather than buying new ones. Sales pages in this market promise a WISP in minutes. The template can be copied in minutes. The plan takes longer, because the plan is the decisions.
- Read the guidance and outline first. The pages before the sample plan, plus the glossary at the back. About 45 minutes, and it repays itself at every later step. (Estimated, like every figure in this list.)
- Name the officials (Section IV). Solo: minutes, your own name in both roles. A multi-owner firm: a real conversation about who carries the program, and it can be the slowest fast step. Five minutes to an hour.
- Fix the scope and inventory the firm (Section III, Attachments E and F). Machines, software, cloud accounts, paper storage, and who touches what. One to two hours solo; closer to half a day with staff, because an inventory is only done when it has been checked against reality.
- Write the inside-the-firm policies (Section V, Attachment A). Collection, retention years, access, disclosure with its annual review date, reportable events. One to two hours of decisions the sample text frames for you.
- Write the technical policies (Section VI). Passwords, MFA, encrypted exchange, Wi-Fi, remote access, connected devices, training. Two to three hours if the settings already exist and you are writing them down. If a control is missing, switching it on is its own project first, and the plan waits for it.
- Run the acknowledgment and training records (Attachment D). Staff read the plan and sign; a solo firm signs for itself. Thirty to sixty minutes, mostly calendaring.
- Implement (Section VII). Sign and date the plan, and put the annual review you committed to back in Section V on a calendar you keep. Fifteen minutes, and the plan is in force.
Add it up and the estimate lands at a focused day for a solo practice, and two or three working sessions across a week for a firm of two to ten. Both figures are estimates; the basis is stated above, and your firm's decision load can move them in either direction. What the total is not: minutes.
The sequence assumes the decisions come easily. Two of them may not: naming the responsible official in a firm where authority is shared, and deciding which risks the plan accepts rather than fixes. If your firm stalls on either, that stall is the signal to put the question to a qualified professional rather than to a longer template.
What changed in the latest revision?
The current revision is August 2024, and it arrived with substance, not housekeeping: the IRS called the template "updated and expanded to make data security planning easier" (IR-2024-208, August 13, 2024). Three changes matter when you fill it in:
- Multi-factor authentication, in the rule's own words. First on the IRS's list of what changed: the sample now carries the rule's formulation, MFA "for any individual accessing any information system" unless the firm's qualified individual has approved, in writing, reasonably equivalent or more secure controls, and its remote-access policy requires MFA outright. The template language tracks 16 CFR 314.4(c)(5).
- The FTC breach-report duty is spelled out. The template instructs: "Report a security event affecting 500 or more people to the FTC as soon as possible, but no later than 30 days from the date of discovery." That mirrors the reporting duty in force since May 13, 2024.
- Password guidance moved to the NIST cadence. The sample now sets password changes "every 365 days, or under specific conditions, such as user requests or when there is evidence of a compromise," citing NIST guidelines. If your office policy still says every 90 days, it is quoting an older habit, not the current template.
Is there anything newer? As of July 17, 2026: no. The PDF the IRS serves is still Rev. 8-2024; we pulled the document itself and checked the IRS's current WISP materials the same day, and the OPR bulletin quoted above remains that office's latest word on the WISP through its bulletin index as of mid-July 2026. The pressure keeps climbing anyway: the IRS's June 2026 tax tip calls the WISP "just one tool for tax professionals to protect their client's data" and states flatly that it is "required by law" (Tax Tip 2026-49, June 16, 2026). When a new revision lands, this page's dates move with it; that is what the checked date at the top is for.
Should you work from Publication 4557 or 5708?
Both, in that order, and they do different jobs. Publication 4557, "Safeguarding Taxpayer Data" (Rev. 6-2024), is the measuring stick: what good practice looks like across a tax practice, with a checklist. Publication 5708 is the pen: the document you actually fill in and sign. A working pattern: skim 4557 once so the checklist is in your head, write the plan in 5708, then test what you wrote against the 4557 checklist. The two publications point at the same underlying duties, so working them as a pair costs nothing extra. Our walkthrough of Publication 4557 does for the guide what this page does for the template.
FAQ
Is Publication 5708 mandatory, or just a template?
It is a template, and using it is optional. The duty it serves is not: the FTC Safeguards Rule requires every covered tax preparation firm to hold a written information security program, whatever document it starts from. The IRS's short companion overview puts the layering in one sentence: "Federal law, enforced by the Federal Trade Commission, requires professional tax preparers to create and maintain a written data security plan" (Publication 5709, Rev. 5-2024). Write your plan in 5708, in an adaptation of it, or from scratch; the rule cares that a real program exists and runs, fitted to your firm.
Can I copy Publication 5708 as-is and be done?
You can copy it in minutes, and what you get is the IRS's sample with your letterhead. The publication itself warns against stopping there: it provides "sample information," it states "There is no one-size-fits-all WISP," and it is explicit that it is no "substitute for developing your own plan based upon the specific needs and requirements of your business or firm." OPR's 2025 bulletin adds the working standard: a plan "scaled to the business's size, scope of activities, complexity, and the sensitivity of the customer data it handles," updated "as business or technology changes dictate." A copied sample with nobody named, nothing inventoried, and no dates meets none of that.
Does completing the template make my firm compliant?
No, and be careful with any page that promises it does. Completing 5708 produces the written program document, which is one required piece. Whether your firm meets the rule also turns on the document's claims being true in practice: the safeguards running, the training happening, the vendors overseen, the reviews actually held. A finished template is the start of compliance work, not a verdict on it. That is why our own free template carries the same warning on its cover.
Where do I download the official PDF?
Straight from the IRS: Publication 5708 (Rev. 8-2024, Catalog No. 93462W), and the short companion overview Publication 5709. The canonical irs.gov link serves the current revision; that is how we checked ours on July 17, 2026. The download is free at those links; a site charging for the same document is a repackager, not the source.
Is there a version with the fill-in order laid out?
Yes, ours: a free adaptation of Publication 5708 in plain English, with every blank this walkthrough covered marked and explained, a rule map the original does not include, and the working attachments, as a direct Word or PDF download with no email wall. It stays what the original is: a starting point your firm completes, not a finished plan.
The bottom line
Publication 5708 is the rare free artifact that deserves its reputation: the IRS did the structure, and did it well. What it asks of you is the part no publisher can supply: names, inventories, retention years, access rules, and a review date you will honor. Set aside the focused day, work the sections in order, and sign it. The blanks are not an obstacle to the plan. They are the plan.
Next in this guide
Free WISP Template: Written Information Security Plan
A free Written Information Security Plan template for tax preparers, adapted from IRS Publication 5708. Direct download in Word or PDF, no email required.
Related
- How we verify
The method behind every figure on this site: primary sources, as-of dates, and dated corrections.