How to Create Your First Written Information Security Plan (WISP)

If you're a tax preparer, you're required to have a written information security plan (WISP). This might sound intimidating, but it's really just a document that describes how you protect client information. Here's a simple guide to creating your first WISP.

What Is a WISP?

A WISP is a written document that explains your security practices. It covers what you do to protect client data, who's responsible for security in your practice, and what happens if something goes wrong. Think of it as your security playbook—a reference you and anyone working with you can use to make sure you're protecting client information properly.

Having a WISP isn't just a good idea—it's required by the FTC Safeguards Rule for tax professionals. But beyond the regulatory requirement, it helps you think through your security practices systematically and ensures you don't overlook important protections.

Getting Started

Start by taking inventory. Make a list of the types of client information you collect and where you keep it. This includes tax returns, W-2s, Social Security numbers, bank account information, and any other sensitive data. Note whether each type of information is stored on paper, on your computer, in the cloud, or in multiple places.

This inventory helps you understand what you need to protect. You can't secure what you don't know you have, so being thorough at this stage is important.

Key Sections to Include

Your WISP should have several main sections. Start with an overview that explains the purpose of the document and your commitment to security. Then designate who's responsible for your security program—in a solo practice, this is you; in a firm, it might be a specific person or role.

Include a section on risk assessment that describes the threats you've considered and how you address them. Cover physical security (how you protect your office and equipment), technical security (passwords, encryption, software), and administrative security (policies and procedures).

Physical Security

Describe how you protect your physical workspace. This includes things like locking your office, securing file cabinets containing client records, positioning computer screens so visitors can't see sensitive information, and properly disposing of paper documents (shredding rather than just throwing away).

If you work from home, address the unique considerations that creates. How do you prevent family members from accessing client files? Where do you store paper documents securely?

Technical Security

This section covers computer and technology security. Address password policies (how complex passwords must be, how often they change), two-factor authentication, encryption of client data, firewalls and antivirus software, and secure Wi-Fi practices. Explain how you handle software updates and security patches.

If you use cloud services or work with technology vendors, describe how you vet these services and what security they provide. Cover backup procedures too—how you back up client data and how you'd recover if your computer crashed.

Administrative Security

Administrative security covers policies and procedures. Include guidelines for handling client information, training requirements for yourself and any staff, procedures for new client intake, and policies about working remotely. Address how you handle access to client information—who can see what, and how you control that access.

Include your procedures for when things go wrong. What do you do if you suspect a security breach? Who do you notify? How do you document what happened?

Keep It Updated

Your WISP isn't a one-time document—it's a living plan that should grow with your practice. Review it at least annually and update it when you change your procedures, add new technology, or face new threats. Date each version so you can track how your security practices have evolved.

The IRS provides a sample WISP specifically for tax professionals that can serve as a starting point. Many professional associations also offer templates. Use these resources to get started, then customize for your specific practice.