Skip to content

Free WISP Template for Tax Preparers: A Starting Point Built from IRS Pub 5708

Checked against the primary record: July 17, 2026Source revision: IRS Publication 5708 (Rev. 8-2024)

Dolev Arama, Founder/Last updated July 18, 2026/Every figure primary-sourced

The short answer

Here it is: a free Written Information Security Plan (WISP) template for tax and accounting firms, adapted from the IRS's own Publication 5708. Direct download, in Word or PDF, no email address required. Every blank the IRS left for you is marked, explained, and anchored to the FTC's current rule text. It is a starting point, not a finished plan.

This page offers a free WISP template and explains what completing one involves. It is general information, not legal advice for your specific situation. For that, consult a qualified professional.

Prefer to read before you fill anything in? Download the PDF version of the same document.

This template is educational, adapted from IRS Publication 5708. It is general information, not legal advice for your specific situation, and completing it does not by itself make your firm compliant. For advice on your situation, consult a qualified professional.

What does the free WISP template include?

The template is a fill-in document that follows the structure of IRS Publication 5708, the IRS's own "Creating a Written Information Security Plan" sample, with the guidance rewritten in plain English and the current rule text checked section by section. What it is: a complete working skeleton your firm fills in and signs. What it is not: a finished plan, a compliance verdict, or a substitute for the decisions only your firm can make.

  • The plan itself, in the IRS's own section order: objective, purpose, scope, responsible officials, risk assessment, the inside-the-firm policies (collection and retention, personnel accountability, disclosure, reportable events), and the technical policies (network protection, access control and MFA, encrypted exchange, Wi-Fi, remote access, connected devices, training).
  • A rule map showing where each element of 16 CFR 314.4 lives in the document, which Publication 5708 itself does not provide.
  • YOUR FIRM DECIDES boxes at every deliberate blank, each stating what to decide and why, with its rule anchor.
  • Eight working attachments: retention and disposal policy, employee rules of conduct, incident procedures with a filled notification-contacts table, an acknowledgment form, hardware and access inventories, a service-provider list, and a review log.
  • A sources page: every regulatory reference in the document, with its revision date and a link to the primary source, each checked on July 17, 2026.

One design choice worth naming. This download is free the way a document should be free: no email wall, no account, a named publisher, and an honest disclaimer on the cover. In the July 2026 market scan behind this page, those four rarely travel together: of the two lookalike template domains we checked at page depth, neither carried a disclaimer and one named no operator at all, and the named vendors in our scan gate their free templates behind a contact form. We publish under our own name and ask for nothing, because this template is also how you judge us.

What does IRS Pub 5708 leave blank?

Publication 5708 is genuinely good, and it is honest about what it is. The IRS states outright that it provides "sample information," that there is "no one-size-fits-all WISP," and that the document is not a substitute for developing a plan based on your own firm's needs. The skeleton is the IRS's gift; the blanks are the actual work. Concretely, the sample leaves your firm to decide who runs the program day to day (the rule's Qualified Individual, which the IRS sample calls the Data Security Coordinator), who speaks for the firm if an incident happens, what data you actually hold and where, how long you keep records and how you destroy them, which third parties touch your client data, your password and MFA setup, your rule for remote access after hours, and the date you will actually review the plan again.

None of those blanks is a flaw. They are the decisions that make the plan yours, and a plan that skips them is paper. Our template keeps every one, marks it, and explains it, so the blank you are staring at comes with the reason it exists and the rule element it serves. The full map, what each section asks and what only your firm can decide, is in our Publication 5708 walkthrough. The legal duty behind the whole exercise sits in the FTC Safeguards Rule, which requires a written information security program from any firm significantly engaged in preparing returns for compensation.

How do you complete it?

The template walks this order, and each step below carries the rule element it serves. The written-program duty itself is 16 CFR 314.3(a); the elements are 314.4.

  1. Name the responsible person (314.4(a)). One named person oversees and enforces the program. In a solo practice that is you, by name.
  2. Inventory your systems and data (314.4(c)(2)). Computers, server, cloud services, tax software, paper files: the template's Attachment E is the working list.
  3. Fill the risk grid (314.4(b)). What you hold, where it lives, what could realistically go wrong, and what stands in the way. Under 5,000 consumers the formal written risk assessment of 314.4(b)(1) is set aside by 16 CFR 314.6, but the program must still be based on a risk assessment, and the grid is how a small firm does it.
  4. Set the safeguard policies (314.4(c)). Access controls, encryption in transit and at rest, multi-factor authentication with its narrow written exception, disposal timing, change management, and monitoring: the template states each in plain English with the subsection beside it.
  5. Record training (314.4(e)). Staff read the plan, sign the acknowledgment, and sit the annual training; the template carries the forms.
  6. List and bind your service providers (314.4(f)). Tax software, portals, backup, IT support: capable providers, safeguard language in the contract, periodic reassessment.
  7. Sign it, date it, and calendar the review. The signature and date come from Publication 5708's own implementation clause; the duty to review and adjust is the rule's (314.4(g)). An unsigned plan with no review date is a form, not a program.

This template is educational, adapted from IRS Publication 5708. It is general information, not legal advice for your specific situation, and completing it does not by itself make your firm compliant. For advice on your situation, consult a qualified professional.

Can a free template satisfy PTIN renewal?

This question deserves a precise answer, because the renewal moment is where the field sells the most confidence. Line 11 of the current Form W-12 (Rev. October 2025), labeled "Data Security Responsibilities," asks you to attest that you are aware that paid preparers are required by law to create and maintain a written information security plan. It is an awareness attestation. It is not a certification that your plan exists or meets any standard, and no template, free or paid, turns the checkbox into one.

The seriousness runs the other way. The W-12 is signed under penalties of perjury, so the awareness you attest to should be real, and the duty you are attesting awareness of is the FTC's written-program requirement. The honest sequence is: know the duty, hold the document, keep it current. A completed template is how the middle step stops being hypothetical. Whether your particular plan meets the rule for your particular firm is a judgment question, and the one place on this page we will say it plainly:

If you are checking Line 11 and are unsure whether your plan actually covers your firm's situation, put the question to a qualified professional before renewal season, not after. This template gives you the document to bring to that conversation.

What does a WISP cost if you don't do it yourself?

The market for WISP help sorts into a few classes, and the honest map matters more than any vendor's name. We deliberately name no vendors here; classes are enough to know what you are looking at.

The WISP market by class
ClassWhat you getWhat to check before relying on it
IRS Publication 5708 itself (free)The official sample: a solid skeleton with the guidance the IRS chose to include, and the blanks unexplained.Nothing to vet; it is the primary source. Expect to research each blank yourself.
This template (free, ungated)The same skeleton in plain English, blanks marked and explained, rule anchors, working attachments, named publisher, disclaimer on the cover.Its limits are stated on it: educational, a starting point, and the decisions stay yours.
Lookalike template domains (free or a low yearly fee)The IRS document repackaged on exact-match domains built to catch the search.Who operates the site, and whether any disclaimer exists at all. Of the two members we checked in July 2026, neither carried one, and one named no operator anywhere on the page.
Vendor free templates (free, behind an email form)A branded template in exchange for your contact details.What the gate is for, and whether the template itself says what it does not do.
Done-for-you custom (a one-time fee)A consultant drafts the plan around your firm.Whether the deliverable includes the decisions and inventories only your firm can supply, or hands you a longer template.
Managed subscription (an ongoing monthly fee)The plan bundled with monitoring, training, or tooling as a service.What you are paying for monthly once the document exists, and what happens to the plan if you cancel.
Prepared by Safeguards Monitor from its own market scan, July 2026. Classes, not endorsements; price bands stated qualitatively and vendors deliberately unnamed.

Where does the free path genuinely stop? At the decisions. Any honest template, ours included, can structure the work and explain the blanks; it cannot know your systems, your clients, or your risk appetite. Paying is rational when you want another professional to carry part of that judgment, not because a checkbox demands it.

FAQ

Is the IRS's own template enough?

It can be, if you research and fill every blank it leaves. Publication 5708 is the primary source, and our template deliberately stays an adaptation of it: same structure, plainer language, blanks explained, rule anchors added. If you are comfortable working from the original, work from the original; it is linked on this page and inside our document.

Word or PDF?

Both are here, same content. The Word file is the one to fill in; the PDF reads and prints cleanly. No email is required for either.

Does it work for a solo preparer with no staff?

Yes. The rule scales the program to your size and complexity, and the template says at each point what a one-person practice does: you are the named responsible person, both role lines carry your name, and several of the heavier duties are set aside below 5,000 consumers, which the document flags exactly where they come up.

Template or custom: which does my firm need?

Start from what the two actually differ on: judgment, not structure. A template, this one included, gives you the structure and the questions; a good consultant adds their judgment on your answers. Many solo and small firms complete a sound plan from a template alone. A firm with staff, multiple offices, or unusual data flows has more decisions worth a professional's eyes.

What are the penalties if I skip the WISP?

This page deliberately carries no penalty figures: wrong ones circulate widely in this field, and a number without its primary source and as-of date is noise. What enforcement can actually cost is documented, figure by figure, on the site's penalties page. The consequence with the strongest documented record for preparers is not a fine at all: the IRS can suspend or expel an e-file provider over data-security failures, at its own discretion. That is the lever to respect.

The bottom line

The rule asks for a written plan; the IRS gives you the skeleton; this template turns the skeleton into a document you can actually fill in, and it costs nothing to find out. Download it, work the seven steps, and sign it. And if you first want the requirement itself in plain terms, or you are not sure it reaches your kind of practice, the Safeguards Rule explainer covers what the rule requires, who is covered, and which duties a small firm can set aside.

Reading first? The PDF version is the same document.

This template is educational, adapted from IRS Publication 5708. It is general information, not legal advice for your specific situation, and completing it does not by itself make your firm compliant. For advice on your situation, consult a qualified professional.