For tax, financial, and legal firms of all sizes, an IRS WISP (Written Information Security Plan) isn’t just a recommended safeguard. It’s a legal requirement. Professionals handling sensitive taxpayer information are mandated by both the Gramm-Leach-Bliley Act and the Federal Trade Commission’s Financial Privacy and Safeguards Rules to create a documented plan to protect client data from unauthorized access and misuse.
Do you have a Written Information Security Plan in place? Here’s how to establish a protocol that turns responsibility into daily habits and documented controls.
Why You Need a WISP
A Written Information Security Plan is the framework that defines how a firm prevents, detects, and responds to threats across people, technology, and physical spaces. By documenting the policies and procedures required by law, an IRS WISP ensures that your tax, financial, or legal firm remains compliant while also meeting client expectations and reinforcing trust around the security of their personally identifying information (PII), such as Social Security numbers, tax records, birth dates, employment data, and financial account information. Your WISP also serves as proof to regulators of how that protection is achieved, making the plan a professional obligation as well as a safeguard for your tax firm.
A well-built WISP provides clarity on what to do when the unexpected happens. It complies with regulatory requirements, meets professional responsibility, and serves as a vital defense against data breaches that can harm both clients and practices.
What’s at Risk without a WISP?
Failing to maintain a Written Information Security Plan exposes tax professionals to steep fines and legal consequences. The FTC has the authority to impose penalties that can reach into the tens of thousands per violation, with some cases climbing as high as $100,000.
Without a documented framework for administrative, technical, and physical safeguards, firms are also more vulnerable to breaches, ransomware, and tax identity theft that can jeopardize client data and trigger costly recovery efforts. In a competitive industry where credibility fuels referrals and long-term relationships, the reputational fallout from a breach or compliance failure can be devastating, leading clients to question whether their most sensitive information is truly safe.
How to Build a Written Information Security Plan
You can take one of two approaches when creating an IRS WISP.
Option 1: Get Help
Download one of the many free or low-cost templates available online to guide you step-by-step.
Pro: These templates provide a structured starting point, which can be helpful for smaller firms with limited resources.
Con: Generic templates may not fully address the unique risks of your practice. Relying on them without careful adaptation can leave gaps in compliance or create a false sense of security.
Option 2: Do It Yourself
Conduct research and handle the job on your own.
Pro: You’ll create tailored, detailed documentation that reflects your unique way of doing things and stands up to regulatory scrutiny.
Con: Handling the process independently can be time-consuming and may require a deeper investment of effort to interpret and implement the guidance properly.
Critical IRS WISP Publications for Tax Firms
Whether you opt to create a Written Information Security Plan with a template or build one from scratch, the IRS has issued several publications that will help:
- IRS Publication 5708 (Creating a Written Information Security Plan for your Tax & Accounting Practice) provides a step-by-step framework and an easy-to-use template to help tax, financial, and legal firms design a compliant WISP. The publication also includes a sample WISP along with risk assessments, checklists, and policy language that practitioners can adapt and customize.
- IRS Publication 5709 (How to Create a Written Information Security Plan for Data Safety) offers practical worksheets and examples geared toward small firms, showing how to implement safeguards in day-to-day operations and keep the plan current as technology and staffing change.
- IRS Publication 4557 (Safeguarding Taxpayer Data) explains how to protect client data and lays out the administrative, technical, and physical measures that practices should maintain.
Cover These Core Elements in Your IRS WISP
Each practice is different, so your Written Information Security Plan should reflect your needs, workflow, technology stack, and staffing model. In Publication 5708, the IRS recommends that an effective WISP be “appropriate to the company’s size, scope of activities, complexity, and the sensitivity of the customer data it handles.”
According to the IRS, your WISP should focus on employee management and training, information systems, and detecting and managing system failures. Necessary WISP elements include:
- Overview: Define your WISP’s objectives, purpose, and scope
- Relevant Personnel: Identify your Data Security Coordinator and list any other responsible individuals and authorized users.
- Risk Assessment: Document the types of information your office handles, potential areas for internal and external data loss, and the procedures in place to monitor and test risks.
- Hardware Inventory: List the description and physical location of each item and record the types of information that each stores or processes.
- Safety Measures: Document policies related to data collection and retention, data disclosure, network protection, user access, electronic data exchange, disposal of outdated data, wi-fi and remote access, connected devices, and reportable Incidents. Draft an Employee Code of Conduct and include it in your WISP.
- Implementation Clause: Show that your IRS WISP complies with the requirements of the GLBA, the Federal Trade Commission Financial Privacy and Safeguards Rule, and any applicable state regulatory requirements. Be sure to include your firm’s name, date of implementation, and the signatures of your owner or COO and Data Security Coordinator.
- Attachments: These might include your record retention policy, client PII definition and policy, breach protocols, vendor contract data security language, hardware inventory, and employee data access policy.
What to Do with Your IRS WISP
Your WISP is an internal document. You won’t have to submit it for review or obtain approval from an outside agency. That said, PTIN renewal requires you to attest that you have an IRS WISP in place, and falsely claiming compliance can carry potential criminal liability. You may have to produce your WISP promptly if you’re ever audited or investigated by the IRS or FTC, and failure to comply can result in fines. In the most serious cases, practitioners risk losing their ability to prepare returns or even practice before the IRS.
Once your WISP is solidified, share it with all relevant stakeholders and train your employees on its contents. Review, test, and update your WISP annually before PTIN renewal to keep it aligned with evolving priorities and best practices.
How IRS Solutions Supports Your Written Information Security Plan
Protecting client data takes more than a plan. It requires modern technology that enforces those policies every day. IRS Solutions was designed with that reality in mind, integrating security features into a powerful suite of tax resolution tools.
IRS Solutions members can feel confident as they create and revise their IRS WISP, knowing that significant resources have been invested in the platform’s encryption and security capabilities.
This is only a partial list of the features that ensure your clients’ sensitive tax information remains fully protected at all times:
Encryption Standards
- 256-bit AES (Advanced Encryption Standard) encryption for all data at rest, matching the same encryption level used by financial institutions and government agencies
- TLS 1.3 encryption for all data in transit between your system and IRS servers
- End-to-end encryption for credential storage using industry-standard cryptographic libraries
Authentication & Access Security
- Multi-factor authentication (MFA) is required for all user accounts
- OAuth 2.0 secure token-based authentication for IRS system access
- Encrypted vaults with zero-knowledge architecture for credentials storage – even IRS Solutions staff cannot access your login and password information
- Session tokens automatically expire and rotate to prevent unauthorized access
Compliance & Monitoring
- IRS Publication 1075 compliant for tax information security
- Third-party security audits and penetration testing are conducted regularly
- Real-time intrusion detection and automated threat response systems
Data Protection Measures
- Automated daily encrypted backups stored in geographically distributed locations
- Role-based access controls to limit data access to authorized personnel only
- Complete audit trails of all system access and actions
- Automatic data purging policies to minimize retained sensitive information
Infrastructure Security
- Hosted on the AWS GovCloud – authorized cloud infrastructure
- Redundant firewalls and network segmentation
- 24/7 security operations center monitoring for threats
- Regular security patches and vulnerability management
Audit Readiness
- Secure portals reduce the need to move files through email and create a consistent history of what was shared and when
- Detailed client records and activity logs support documentation needs and demonstrate how security controls are part of daily operations
Built by tax resolution pros who still use the platform every day, IRS Solutions helps tax, financial, and legal firms of all sizes generate more revenue in fewer hours with intuitive features including optimized solution recommendations, automated IRS transcript monitoring with emailed alerts, fast bulk transcript downloads, bankruptcy discharge date and CSED calculators, and more. Every membership includes access to expert customer support by phone during business hours, quick onboarding and easy data migration, regularly scheduled Continuing Education classes, and a fully branded Marketing Toolkit to help their business grow.
Would you like to see how IRS Solutions can help you operationalize your plan and strengthen your security posture? Book a demo today. We’ll be happy to show you.
