Tax professionals can no longer ignore WISP (written information security plan) compliance. How you follow the FTC Safeguards Rule and IRS Publication 4557 is now under closer scrutiny. This is crucial for anyone handling sensitive client data.

A WISP isn’t just a document. It’s a living plan that shows how your firm protects taxpayer information. It also covers how to reduce cybersecurity risks and stay audit-ready all year.

Tax professionals must follow WISP compliance protocols if they store, send or work with client data. This applies to all firms, big or small.

What does a WISP include?

A WISP includes broad security policies tailored to your firm’s operations. While each plan is unique, most address the following areas:

• Risk assessment of your systems and data
• Access controls for employees, contractors and third parties
• Encryption protocols for data in transit and at rest
• Incident response procedures in case of a breach
• Ongoing training and security awareness
• Documentation and annual review of policies and protocols

Why WISPs matter

A tax preparer in a mid-size firm experienced a phishing attack just weeks before filing season. While their software was up to date, they had no formal incident response plan or employee training on data handling. The result? A breach report to the IRS and multiple hours of downtime, during their busiest week of the year.

A documented WISP backed by real safeguards could’ve helped mitigate the damage and possibly prevented the incident altogether.

Many firms know what’s required in a WISP but haven’t verified their technology supports it. Partnering with a trusted cybersecurity expert specializing in tax and accounting can help ensure your tech safeguards match your written policies.

5 steps to start strengthening your firm’s WISP

1. Educate yourself on the core components of a WISP. NATP’s online workshop can help with that.
2. Map your technology environment, including where client data is stored or accessed.
3. Note any gaps, such as a lack of encryption, missing policies or informal processes.
4. Designate a WISP owner – even if it’s just you – for maintaining updates.
5. Document your plan and make it part of your annual compliance review.

Common questions about WISP compliance

What is a written information security plan?
A written information security plan (WISP) outlines how your practice safeguards client data across administrative, technical, and physical layers. It serves as your compliance roadmap for handling sensitive information.

Is WISP compliance mandatory for tax professionals?
Yes. The FTC Safeguards Rule and IRS Publication 4557 outline WISP expectations for any business that handles taxpayer data, including sole proprietors.

Do I need an IT consultant to build a WISP?
Not necessarily. Many firms begin with self-guided templates and educational tools. However, validating the technical side with a security partner is often recommended.

How often should the WISP be reviewed or updated?
Annually, at a minimum, or sooner if there are changes to your software, vendor stack, or staffing structure.

Does cloud hosting help meet WISP standards?
Yes, especially platforms that offer encryption, access control, continuous monitoring and formal compliance frameworks like SOC 2.

Pairing policy with protection

NATP’s on-demand webinar helps tax professionals build strong, compliant security policies. After creating your WISP, ensure your IT systems can support those protections. Use secure backups, encrypted access and monitor your systems year-round.

The right mix of policy, training, and infrastructure ensures your firm is compliant and resilient.