Log in
Laws & Regulations

What is the IRS WISP and Why Is It Crucial for Your Practice?

January 16, 2025
IRS WISP Builder Tool | What is the IRS WISP and Why Is It Crucial for Your Practice?

What is the IRS WISP?

Any business that handles sensitive financial data, like tax and accounting firms, is required by the Gramm-Leach-Bliley Act (GLBA) and the Federal Trade Commission Financial Privacy and Safeguards Rule to create an IRS WISP, or Written Information Security Plan. Whether you are a small business of one or a larger firm with over ten accountants, a WISP is required for your business to stay compliant with the FTC as you have clients’ personally identifiable information. When effectively written, the plan serves as a roadmap for your business in prioritizing security guidelines regarding the privacy of your client’s data.  And this roadmap helps you to easily identify, assess, and manage risks related to information security.  Ultimately, as a tax and accounting professional you need a WISP to be compliant and to manage the risks associated with handling your client’s personal information so that you can keep your business running effectively.

A Written Information Security Plan, or IRS WISP, is an evergreen document mapping out your firm’s policies and procedures around how you plan to handle client data and other sensitive information.  The goal of this essential document is to create a plan for your business that outlines physical safeguards aimed at maintaining the privacy and security of your clients’ data, technical safeguards for keeping equipment from being compromised, and administrative safeguards for training and educating your employees on the company’s security plan.  The IRS WISP does not ensure protection, but it does create a plan to be aware of and be prepared for handling risks.

An IRS WISP should include:

  • An overview of the objectives, purpose, and scope including the specific reason for creating the plan (i.e. compliance of the GLBA and the FTC Safeguards Rule), what the document contains and why each item is included.  Also mention any limits to the scope of the plan so that the document is very clear on what it does and does not cover. For example, the plan is created to assess and monitor the security plan in compliance with the FTC.
  • List of qualified individuals such as the person responsible for coordinating the security programs, who the responsible parties are within your firm, and any authorized users along with their information access levels and responsibilities.  This list would include all parties who have access to client information such as accountants and administrative staff members with full or partial access as well as responsible parties, when applicable, like the IT Manager and the Chief Information Security Officer (CISO).   
  • Assessment and identification of risks by listing all forms of information such as Personal Identifiable Information (PII) or financial information used by your firm.  Include potential areas for a data breach, both internal such as employee negligence or unauthorized access and external threats for example, hacking or phishing attacks.  This step also includes procedures that are in place to monitor and test these risks.  
  • Inventory of hardware listing all equipment used in the course of business such as laptops, network routers, servers, and even mobile devices.  The list should note where the device is located, who has access to them, and what types of information are stored or processed by each item. 
  • Safety measures that your firm has in place regarding collecting & storing confidential information such as always using encryption.  These safety standards may also include policies on data disclosures, network protection or antivirus/malware software, user access if multi-factor authorization is required, how electronic data is exchanged, and how employees access wi-fi, remote access, and connected devices.  Reportable incidents and your Employee Code of Conduct are important to include here as well. 
  • Implementation clause including the date of implementation, your firm’s name and a statement that the signed IRS WISP is in place per compliance with the requirements of the GLBA,  the Federal Trade Commission Financial Privacy and Safeguards Rule as well as any additional state regulatory requirements, if applicable.  To officially finalize the plan, the document should be signed by the principal operating officer or owner and the company’s assigned Data Security Coordinator (DSC) and dated the date of implementation.

What is the purpose of a WISP?

Every tax and accounting firm, and any business handling sensitive financial data or personal client information, needs to have a Written Information Security Plan, or IRS WISP, to stay in compliance with the Federal Trade Commission, FTC, Financial Privacy and Safeguards Rule.  However, the benefits of creating an effective IRS WISP goes far beyond compliance. A WISP provides an opportunity for your company to form a well thought out security plan by assessing and identifying areas of potential threats to your client’s confidential information.

With an annual review and continued updates made to your WISP, you are able to better maintain your firm’s security plan by regularly assessing and updating the plan with new personnel, updated technology, or potential physical threats. In the case of a data breach, having a signed and implemented IRS WISP not only also helps your firm to provide proof of compliance for the FTC while under investigation but the document also helps your team to efficiently and effectively put the security plan into action quickly.

Why does every tax & accounting business need an IRS WISP?

Tax and accounting practices handle both sensitive financial information and your client’s personal identifiable information which means you need an IRS WISP, or Written Information Security Plan, in order to legally do business according to the Gramm-Leach-Bliley Act (GLBA) and the Federal Trade Commission (FTC) Financial Privacy and Safeguards Rule. Not only is it good practice to identify and address risks in your business, it’s good business to plan ahead and prepare your employees to quickly and effectively handle a data breach.

Creating a WISP is mandatory for your business to stay in compliance with the FTC, which means that in the case of a data breach or an employee not following your protocols, you will be able to point to your business’s Written Information Security Plan, or WISP, to prove to the FTC and questioning authorities that you had taken steps to set up sufficient security measures and are truly in compliance.

In summary, a Written Information Security Plan, or IRS WISP, is an essential and mandatory document for any tax and accounting business or other companies who handle sensitive or confidential information.  This WISP helps you to proactively assess and manage information security, mitigate risks, and stay in compliance with the FTC – so that you can keep your business running as usual.

Creating a WISP can be overwhelming, but WISP Builder makes it simple so that you can get (and stay) compliant and get back to helping your clients.

To learn more, please go to www.ftc.gov and search Safeguards Rule or go to www.IRS.gov and search WISP.

do i need a wispIRS WISPirs wisp planpub 5709written information security plan
Previous
IRS WISP Compliance: How to Effectively Record and Store for Proof
Next
How the IRS WISP Helps Prevent Data Breaches: Key Security Measures Explained
Privacy Settings
We use cookies to enhance your experience while using our website. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. We also use content and scripts from third parties that may use tracking technologies. You can selectively provide your consent below to allow such third party embeds. For complete information about the cookies we use, data we collect and how we process them, please check our Privacy Policy
Youtube
Consent to display content from - Youtube
Vimeo
Consent to display content from - Vimeo
Google Maps
Consent to display content from - Google
Spotify
Consent to display content from - Spotify
Sound Cloud
Consent to display content from - Sound
Save