Blog

WISP 101: Goals, Components, and Best Practices

What exactly is a WISP, why do you need one, and what should it include? All that and more, here.

minute read

By

Last Updated March 26, 2025

Category Cybersecurity

Hands at a laptop keyboard, typing a plan

Share

WISP 101: Goals, components, and best practices

If you’re a tax preparer, accountant, or financial services provider, you’ve likely heard the term “WISP” mentioned in relation to your professional obligations. But what exactly is a WISP, why do you need one, and what should it include?

Download: Free WISP Template

All that and more, below…

What is a WISP?

A WISP (Written Information Security Plan) is a comprehensive document that outlines how your business identifies, assesses, and manages cybersecurity risks to protect sensitive client information. It’s not just paperwork—it’s a strategic roadmap for your organization’s data security practices and a requirement for many financial professionals under federal law.

History of the WISP

The history of the Written Information Security Plan (WISP) can be traced back to the growing need for cybersecurity measures in response to the increasing amount of sensitive information stored and processed electronically. Here’s a brief overview of its development:

  1. 1996: The Health Insurance Portability and Accountability Act (HIPAA) set the standard for developing WISPs by requiring all covered entities to implement security policies and procedures.
  2. 1999: The Gramm-Leach-Bliley Act (GLBA) was enacted, which included provisions for protecting consumer financial information. This act further emphasized the need for WISPs, especially in the financial sector.
  3. 2003: The Federal Trade Commission (FTC) introduced the Safeguards Rule, which required financial institutions to develop and implement comprehensive information security programs.
  4. Throughout the 2000s and 2010s, states began introducing their own regulations.
  5. 2021: The FTC amended the Safeguards Rule to keep pace with rapidly changing technology.
  6. 2023: The IRS starts requiring tax practitioners to have a WISP as part of the PTIN (Preparer Tax Identification Number) annual renewal process.
  7. 2024: The Safeguards Rule’s data breach and security incident reporting requirements went into effect.

Why is having a WISP important?

A WISP matters for several critical reasons:

  • Legal compliance: For tax professionals, a WISP isn’t optional. When renewing your PTIN (Preparer Tax Identification Number) on IRS form W-12, Question 11 requires you to confirm that you have a WISP in place. Falsely stating you have one constitutes perjury and could result in license revocation or PTIN termination.
  • Business survival: With a proper WISP, your firm will know exactly how to respond to potential breaches, minimizing damage and recovery time.
  • Insurance and liability protection: Having a WISP in place helps protect your business if you need to make an insurance claim after a data breach. (Some insurance companies have refused to pay damages because the insured party did not have a WISP in place.)
  • Client trust: Your clients trust you with their most sensitive financial information. A WISP ensures you have proper safeguards in place to protect this data and demonstrates your commitment to security.

What is the goal of a WISP?

The primary goal of a WISP is to help you protect your business. Specifically, your plan should aim to:

  • Identify potential risks to the security and confidentiality of client data.
  • Implement controls to mitigate those identified risks.
  • Monitor the effectiveness of security measures on an ongoing basis.
  • Respond appropriately to security incidents when they occur.
  • Document compliance with regulatory requirements.
  • Create accountability by assigning specific security responsibilities within your firm.
  • Build client trust by demonstrating your commitment to data protection.

A well-crafted WISP doesn’t just check a regulatory box—it creates a culture of security awareness throughout your organization and provides a framework for continuous improvement of your security posture.

Download: Free WISP Template

What are the main components of a WISP?

According to IRS Publication 5708, a comprehensive Written Information Security Plan includes:

1. Objective, purpose, and scope

Why are you creating your plan? State any legal obligations, then explain what taxpayer information is being protected with the security processes outlined in your document.

2. Designated responsible individuals

Identify who will be acting as your business’s Data Security Coordinator (DSC) and Public Information Officer (PIO).

You must define the duties and responsibilities of your chosen individuals as they pertain to your business, but generally speaking:

  • A Data Security Coordinator oversees information security processes, from securing data and fixing what’s vulnerable, to training staff about cybersecurity best practices.
  • A Public Information Officer is the single point of contact for all outward communications related to a data breach incident.

3. Risk assessment

Where may your business’s data be vulnerable? Your risk assessment must list out the type of information your office handles and how that information may be potentially threatened—internally, or externally, disclosed to unauthorized individuals, accidentally deleted, etc. This section of your WISP must also include how you plan to monitor and test these data loss risks.

4. Hardware inventory

This section must include every device that stores or processes PII (personally identifiable information), a record of the type of information stored per device, as well as each device’s physical location.

5. Security safeguards

Document the safety measures and policies you have in place—from multifactor authentication requirements to remote access protocols. Don’t forget to attach your Incident Response Plan, Data Breach Response Plan, and Breach Notification Plan, and how your DSC and PIO will operate in the event of a cyberattack.

This section should also include a “Draft Employee Code of Conduct” with employee training procedures and the steps you take to remove an employee’s access after they’ve separated, are terminated, etc.

6. Implementation clause

Here, you must confirm that your WISP is being implemented in compliance with the FTC’s GLBA (Gramm-Leach-Bliley Act) and Safeguards Rule (plus any regulations specific to your state.)

Download: Free WISP Template

WISP best practices (4 tips)

No two plans will (or should) look exactly alike. Its contents depend on your business’s size and complexity, and your data’s sensitivity. However, there are a few best practices that make creating a security plan easier for everyone:

1. Designate a Qualified Individual

Before moving any further—you must assign someone to manage your WISP’s creation, implementation, and ongoing maintenance. This person can be internal or external to your business, but must be comfortable knowing how to:

  • Coordinate risk assessments
  • Ensure third-party vendor security compliance
  • Manage staff training

2. Use a template

Starting a plan from scratch can be overwhelming, and expensive, even for most security experts. Lean on trusted templates to serve as your get-started guide.

3. Schedule regular reviews

Your WISP isn’t a one-time, set-it-and-forget-it document. It must be reviewed annually, at the very least, to ensure it meets current regulations and addresses evolving threats.

4. Lean on your technology providers

Your technology providers can help make your WISP implementation much, much easier. Instead of hunting down a provider’s certifications yourself, ask them to share documentation about their security controls that support your compliance requirements.

When evaluating potential partners, ensure they:

  • Understand regulatory requirements for financial services
  • Clearly explain how their solutions address WISP requirements

Get help writing your security plan

The right WISP doesn’t just fulfill a regulatory requirement–it helps you identify where your business may be vulnerable to a cyberattack.

Download our free WISP template to begin outlining your comprehensive defense plan.

And don’t forget—we’re here to help bolster your security strategy, assess your vulnerabilities, and guide your WISP creation. Book a security consultation today.

Subscribe to our blog

Get Rightworks articles delivered straight to your inbox.
Privacy(Required)

About the author

Kiara Williams

Kiara Williams

Where to begin with this bio—My enthusiasm for LEGO kits? The collection of semi-complete art projects stacked in my office? Or how about my love of all things Harry Potter? Well, in a nutshell, that's me.

But while building, crafting and learning about witchcraft and wizardry ultimately create my off-hour hobby carousel, I dedicate work time to writing for Rightworks and the accounting profession. My ultimate goal? Produce quality content (for the profession supporting us all) that does more than inform—it entertains.

More articles by Kiara Williams

Related Posts

How To Avoid a Caesars-Like, Social Engineering Catastrophe

Could you spot a social engineering attack? Learn how hackers tricked Caesars into paying $15M and discover the protection strategies to keep your company safe.

The Ultimate Cybersecurity Quiz: Test Your Knowledge of Security Best Practices

Put your cybersecurity knowledge to the test with this interactive assessment designed to strengthen your firm’s security posture.

What Is Multifactor Authentication?

What is MFA and why does your accounting firm need it? Learn how MFA compliance adds crucial security layers to protect your firm’s sensitive client data.