Skip to content

WISP for Tax Preparers: What the Written Information Security Plan Requirement Actually Says

Checked against the primary record: July 17, 2026Rule last amended: November 13, 2023 (88 FR 77508)

Dolev Arama, Founder/Last updated July 18, 2026/Every figure primary-sourced

The short answer

Yes, a WISP is required. A written information security plan is the document the FTC Safeguards Rule requires every tax preparation firm to hold and keep current, and the IRS presses the point at every turn: publications, campaigns, and the checkbox on your PTIN renewal. Here is the requirement itself, from the primary sources.

This explains the written information security plan (WISP) requirement for tax preparers: what it says and who imposes it. It is general information, not legal advice for your specific situation. For that, consult a qualified professional.

What is a WISP in a tax practice?

A WISP (written information security plan) is the document that records how your firm protects the taxpayer and customer information it holds: which safeguards are in place, who is responsible for them, and how they stay current. The name is shorthand the tax field uses for what the FTC's Safeguards Rule calls a comprehensive information security program "written in one or more readily accessible parts." The duty, in plain terms, is not just to be careful with client data. It is to hold a document that says how, and to run the practice by it.

Two properties separate a real WISP from a decorative one. It fits your practice, because the rule scales the program to "your size and complexity, the nature and scope of your activities, and the sensitivity of any customer information at issue." And it stays alive: the rule's own verbs are "develop, implement, and maintain," so a document written once and filed away stops being the program the rule describes. A short plan your firm actually follows meets the standard better than a long one nobody has opened since it was signed.

Is a WISP actually required, and by whom?

Yes, and the requirement has two layers worth keeping straight. The legal duty belongs to the Federal Trade Commission, not the IRS. Under the Gramm-Leach-Bliley Act, the FTC's Safeguards Rule (16 CFR Part 314) applies to "financial institutions," and it reaches tax practices by name: the rule's scope section lists "tax preparation firms" among the businesses it covers, its definitions state that "an accountant or other tax preparation service that is in the business of completing income tax returns is a financial institution," and the FTC's own compliance guidance (December 2024) names tax preparation firms again. The rule itself dates to 2002; the detailed program most firms know today arrived in the 2021 amendment. The operative sentence is short enough to read whole:

Primary record

16 CFR § 314.3(a) · Information security program

You shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to your size and complexity, the nature and scope of your activities, and the sensitivity of any customer information at issue. The information security program shall include the elements set forth in § 314.4 and shall be reasonably designed to achieve the objectives of this part, as set forth in paragraph (b) of this section.
Prepared by Safeguards Monitor from 16 CFR 314.3 (eCFR), current as of July 2026.
67 FR 36493, May 23, 2002, as amended at 86 FR 70307, Dec. 9, 2021 · Verified July 17, 2026

The second layer is the one a working preparer actually feels: the IRS machinery built on top of that duty. The IRS publishes the guidance (Publication 4557) and the fill-in template (Publication 5708). Its Security Summit campaign states the duty flatly: "Tax pros are required to have a security plan under federal law" (IR-2024-208, August 13, 2024), and again in 2025, "Tax professionals are legally required to have a written, accessible plan" (IR-2025-79, July 29, 2025). Every PTIN renewal puts the attestation in front of you on Form W-12. And the IRS holds the one lever with documented teeth for preparers: the e-file program, where it can suspend or expel a provider at its own discretion.

Those two layers explain a confusion the field keeps recycling. The FTC owns the rule but has been quiet toward this profession in practice: we can find no public FTC Safeguards enforcement action against a tax-preparer practice (we last checked the FTC's public listings for the rule on July 17, 2026; the closest record, and what it does and does not show, is in our Safeguards Rule guide). The IRS does not own the rule but supplies the pressure. So when a vendor page tells you "the IRS requires a WISP," read it as shorthand for that machinery, and read the fine print as FTC law.

A third thread is newer and worth pinning. In June 2025 the IRS Office of Professional Responsibility grounded the WISP duty in Circular 230 as well, citing the competence and compliance-procedures standards (sections 10.35 and 10.36) and warning that a missing WISP "could subject a practitioner, in circumstances of willfulness, to discipline under Circular 230" (OPR Issue 2025-8, June 9, 2025). For credentialed practitioners, the duty now has a professional-responsibility edge on top of the regulatory one.

Which document requires what?

Five documents come up in every WISP conversation, and they do different jobs. Two bind you, two guide you, and one records your awareness. Keeping the roles straight is most of the orientation work, and for the guidance pair we cover how to actually use Publication 4557 and its checklist on its own page.

The five documents behind the WISP requirement, and their roles
DocumentWhat it isWhat it means for your WISP
Gramm-Leach-Bliley ActThe federal statute (1999). Binding law.The reason you are covered: it makes financial institutions protect customer data, and tax preparation counts as a financial activity.
16 CFR Part 314 (FTC Safeguards Rule)The FTC regulation under GLBA. Binding law.The WISP duty itself: a written program with the elements of section 314.4, scaled to your firm.
IRS Publication 4557 (Rev. 6-2024)IRS guidance: "Safeguarding Taxpayer Data," with a checklist.The measuring stick: what good practice looks like, mapped to the duties. Not itself the law.
IRS Publication 5708 (Rev. 8-2024)IRS template: a fill-in WISP skeleton for tax and accounting practices.The starting document: structure supplied, decisions left to your firm. Not itself the law.
Form W-12, Line 11 (Rev. October 2025)A mandatory checkbox on PTIN applications and renewals.An awareness attestation, signed under penalties of perjury. It records that you know the duty exists; it does not certify compliance.
Prepared by Safeguards Monitor from the eCFR, IRS Publications 4557 (Rev. 6-2024) and 5708 (Rev. 8-2024), and Form W-12 (Rev. October 2025), current as of July 2026.

What must a WISP include?

Section 314.3(a) sets the frame: "administrative, technical, and physical safeguards," in writing, scaled to your size and data. Paragraph (b) adds the program's three objectives. Security and confidentiality come first, then protection against anticipated threats, then protection against unauthorized access that could bring substantial harm or inconvenience to a customer. Everything else is the contents list.

That contents list lives in 16 CFR 314.4: nine required elements, from designating a Qualified Individual through the annual report to leadership, plus a separate breach-notification duty added in 2023. This page deliberately stays at the map level. Our Safeguards Rule guide walks the full contents against the rule text, element by element, including the eight specific safeguards and the FTC reporting duty.

Size changes the load, not the duty. A firm holding customer information on fewer than 5,000 consumers is excused from four items under 16 CFR 314.6: the written risk assessment, continuous monitoring or penetration testing, the written incident response plan, and the annual report to leadership. The plan itself is never waived. The field gets this wrong in both directions, with pages claiming every firm faces identical requirements and pages waiving more than the rule does; the exact split, with the record on display, is in our guide to the exemption. What no firm escapes, down to a solo seasonal practice: the written program.

How do you actually build one?

The build order matters less than vendors imply and more than a blank template admits. Here is the working sequence, each step anchored to the rule it satisfies:

  1. Designate your Qualified Individual. The rule puts one named person in charge of the program (16 CFR 314.4(a)). An employee or an outside provider can hold the role; responsibility stays with the firm.
  2. Inventory your data and systems. List where taxpayer and customer information actually lives: machines, software, cloud accounts, paper files. You cannot protect what you have not located (314.4(c)(2)).
  3. Assess the risks. Work through how each store of data could be compromised and what limits the damage. Under 5,000 consumers the assessment need not be written; writing it down anyway makes every later step easier (314.4(b)).
  4. Write the policies. This is the WISP document itself: the safeguards your firm commits to, scaled to your practice (314.3(a)). Publication 5708 supplies the skeleton; our walkthrough of the template maps every section and blank.
  5. Turn on the safeguards and train your people. Multi-factor authentication and encryption are on the rule's own list (314.4(c)), and security awareness training covers everyone who touches client data (314.4(e)).
  6. Put your vendors in the plan. Tax software and any outside IT run under your program too: pick providers that can protect customer information, and say so in the contract (314.4(f)).
  7. Keep it alive. Test what you rely on, and revisit the document when the practice changes (314.4(d) and (g)). The next section has the honest cadence.

Two steps in that list are judgment calls no template can make for you: who serves as your Qualified Individual, and which risks your firm accepts rather than mitigates. If either answer is unclear for your practice, that is the moment to consult a qualified professional.

Now the gap most firms are actually standing in. Line 11 of the PTIN renewal asks you to attest awareness of the data-security duty, and the form is signed under penalties of perjury, so the checkbox is not meaningless. But awareness is all it records. The rule requires the program itself, on paper and in practice. Plenty of firms hold the checkbox and not the document, and closing that gap starts on the document side.

How often does a WISP need to be updated?

The rule sets a trigger, not a calendar: the program must be evaluated and adjusted in light of your security testing and of material changes to your operations (16 CFR 314.4(g)). The rhythm comes from IRS guidance. Publication 5708 calls the WISP "an evergreen document that is regularly reviewed, tested, and updated along with changes to the size, scope, and complexity of your business," and its own fill-in language commits the signing firm to a review at least annually and on any material change to the practice. The Security Summit's 2025 reminder compresses it to "review, test and update it regularly" (IR-2025-79). Those cadence words are guidance rather than rule text; the binding duty is the trigger.

The honest translation for a small practice: put a yearly review on the calendar, and reopen the document whenever the practice changes shape (new software, new staff, a new office, a security event). It is the standard this site holds its own pages to; the verification dates near the top of this page are when its records were last checked.

Does the IRS check or audit your WISP?

We can find no IRS program that audits or certifies a preparer's WISP at renewal. Nothing on the current Form W-12 (Rev. October 2025) describes a verification step: Line 11 records awareness in its own words ("I am aware ..."), not the state of the plan behind it. That is an absence claim, so here is its depth: we checked the current form and instructions, the IRS PTIN FAQ pages, and this year's Security Summit releases, on July 17, 2026.

What exists instead is sharper than an audit. The perjury signature makes the attestation itself serious. The e-file program gives the IRS a discretionary lever it has actually used: suspension or expulsion of a provider, no audit required first. Since June 2025, OPR has a stated discipline path for willful failure. And if a breach ever forces the question, the FTC's reporting clock (30 days, for breaches involving at least 500 consumers) runs whether or not a written plan exists. The pattern is worth stating plainly: nobody inspects the document on a schedule, and several mechanisms assume it exists on the day something goes wrong.

FAQ

Can one WISP cover both tax and accounting services?

Yes. The rule asks for one information security program for the firm's customer information, and it may be "written in one or more readily accessible parts" (16 CFR 314.3(a)). A practice that prepares returns and also does bookkeeping or payroll can run a single program, as long as its inventory and safeguards genuinely reach every service line's data.

Do I need separate WISPs for multiple office locations?

Not as a rule. One program can cover several locations if it names them and covers their systems and data; the rule's test is coverage, not document count. A firm may still choose per-location annexes where offices run different software or staff. What matters is that no location operates outside the written program.

Does a WISP still matter if my firm is entirely cloud based?

Yes. The duty follows the customer information, not the hardware it sits on. A cloud-only practice leans hardest on the vendor-oversight element (16 CFR 314.4(f)): choosing providers that can protect the data and binding them by contract. The access side stays yours either way, because multi-factor authentication and encryption settings are configured, and verified, by your firm.

What is the difference between a WISP and an incident response plan?

The incident response plan is one element inside the WISP, not a rival document: 16 CFR 314.4(h) requires a written plan for responding to security events. Firms under the 5,000-consumer threshold are excused from the written incident response plan, but never from the WISP itself. Practically, the WISP says how you prevent trouble; the response plan says what you do when it arrives anyway.

How long should the WISP document be?

No required length exists anywhere in the rule. The program scales to "your size and complexity," so a solo practice's plan can be short and still real. For calibration, the IRS describes its own Publication 5708 as a 28-page template (IR-2025-79), and much of that is instruction and fill-in scaffolding. A short plan your firm follows beats a long one it does not.

What are the penalties for not having a WISP?

Civil penalty authority exists on the books, and the figures circulating in the field are frequently stale or garbled. We keep every penalty figure on one dedicated page, each with its primary source and as-of date, so this page deliberately carries none. The pressure that has actually reached preparers runs through the IRS machinery described above, and that record is documented on our EFIN security guide.

The bottom line

The requirement is real, and it is federal law. One paragraph of one FTC rule obliges your firm to hold a written information security program. The IRS repeats the point every renewal season, and since 2025 the professional-responsibility office says it too. The gap that matters is the one between the checkbox and the document, and it closes from the document side. Start there.