Log in
Resources & News

Creating an IRS WISP – A Step-by-Step Guide

February 27, 2025
IRS WISP Builder Tool | Creating an IRS WISP – A Step-by-Step Guide

Step-by-step guide to creating an IT WISP for your business

As a tax and accounting professional, you know that you need an IRS WISP, or Written Information Security Plan.  You also know that a WISP is required by the IRS in order to get and stay compliant with the FTC.  So, how do you create an effective WISP that both fits the needs of your business and meets IRS requirements?  WISP Builder is known for simplifying tasks that otherwise would seem complicated.  Which is why we’ve put together a step-by-step guide to help with creating an IRS WISP for your business.  This guide points you in the right direction to get and stay compliant so that you can get back to serving your clients.  

Step One: Know Your Business 

A WISP is not a ‘one size fits all’ cybersecurity plan, and should be created with the size and scope of your business in mind.  Smaller businesses that include just you or a few staff members may not need as complex of a WISP as a larger firm will, but you still need to be vigilant in creating (and updating!) a detailed plan that hits all of the required steps.  

For larger firms with more employees the same goes for you, but on a larger scale.  Every employee needs to be trained on your WISP and trained on updates made each time the WISP undergoes any changes.   

Both small and large businesses may vary in the length of your written information security plan.  However, every business – regardless of size – is required to include a detailed plan for each section laid out in IRS Publication 5708.  All businesses must also follow the steps below on acquiring signatures, storing, and maintaining your WISP in order to be compliant.  

What services does your business cover?  What confidential client information do you have access to?  These are good questions to ask yourself before sitting down to put your IRS WISP into place.  

The editable template used inside the WISP Builder tool helps you to assess each area of your business, shining the light on areas of potential data theft access points.  It can feel like a big responsibility creating a plan that considers every area of potential threat before they even happen, but using an editable template like WISP Builder helps make sure you don’t miss a thing when putting it all together.  

Step Two: Customizing the WISP Template 

IRS Publication 5708 includes every detail required for your WISP, which is why WISP Builder created its editable template feature using these specific requirements.  

Your WISP should include: 

  • A designated qualified individual responsible for implementing and enforcing the security plan
  • Multi-factor authentication for anyone who is able to access your clients’ sensitive information
  • Assessment of the risks – and a plan to minimize these risks – to your clients’ personal information
  • A regularly monitored and tested safeguards program
  • Service providers which must have their own safeguards in place
  • Step-by-step guide to respond to a data breach
  • Ongoing plan to maintain and update the security plan
  • Training for employees to stay up to date as well as keeping your firm’s WISP within easy access for all of your employees  

Step Three: Train Your Staff 

Having a WISP is a great start, but if your employees don’t know what’s inside of it then your cybersecurity plan won’t work.  

Yes, you want to be IRS compliant, but your WISP is meant for so much more. When done well, a WISP helps you have a plan in place that could prevent theft of your client’s identity.  Plus it allows you to respond quickly and professionally in the case of a data breach which preserves your business and its reputation.  

In order for this plan to work as it is meant to, every employee needs to be trained on the details of your WISP, and all staff should have ongoing cybersecurity training to keep data safety top of mind.  WISP Builder includes plenty of tools to help you train your staff and keep your WISP easily accessible.  

Hiring new or temporary employees for the busy tax season?  Don’t forget to train new employees with your security plan, too.  Failing to keep up with cybersecurity training can all too easily put your business in non-compliance mode regardless if you were compliant prior to hiring them.  

Once your employees are trained, be sure to keep the company’s WISP easily accessible to everyone on staff.  This helps you to stay IRS compliant and keeps your employees ‘in the know.’    

Step Four: Acquire all Necessary Signatures

To prove your compliance with the FTC, your WISP needs to be officially signed by all those who have access to it which shows that they have an understanding of your cybersecurity plan.  

These signatures include:   

  • All staff including new and temporary employees; 
  • All service providers such as those working in IT, your cleaning crew, and copying services;
  • All third party team members, vendors and consultants;
  • Owners and managers – it is considered good practice for those in authority to show all others in the company that the owners and managers are under the same rules as everyone else.  

Step Five: Store Your IRS WISP 

Did you know that in order to be compliant you also need to store your IRS WISP correctly?  Keeping your WISP easily available to all staff and service providers means keeping it in a format they can easily reach like a word document or pdf.  A printed copy showing all signatures can be good practice annually when you update and review your WISP with staff.  

In the case of a physical disaster, it is imperative to also have a copy of your WISP stored offsite or in the cloud which can help in proving your compliance in case of a disaster or data breach. 

Step Six: Update Your WISP Annually

How often should you update your WISP?  The FTC requires that you update your Written Information Security Plan at least annually or anytime there are changes to your staff or the size and scope of your business.  

Monitoring and maintaining your written information cybersecurity plan helps you to stay ahead of identity thieves and keeps you up to date with ongoing changes in data security.  Cyber criminals are always looking for new ways to gain access to your clients’ confidential information, so it’s important that you are also staying up to date by updating your WISP each year.  

WISP Builder features also include an annual reminder so that you can set it and forget it, knowing you will be reminded when it’s time to update your WISP keeping you compliant.

All-in-one tools help make creating and maintaining your WISP easier

WISP Builder is the ‘all-in-one’ tool that helps you through each of these 6 steps from creating your WISP and updating it regularly to training your employees and storing it offsite.   

guide for WISPirs mandated wispIRS WISPirs wisp planpub 5709wispwritten information security plan
Next
The Role of an IRS WISP in Data Breach Prevention and Response.
Privacy Settings
We use cookies to enhance your experience while using our website. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. We also use content and scripts from third parties that may use tracking technologies. You can selectively provide your consent below to allow such third party embeds. For complete information about the cookies we use, data we collect and how we process them, please check our Privacy Policy
Youtube
Consent to display content from - Youtube
Vimeo
Consent to display content from - Vimeo
Google Maps
Consent to display content from - Google
Spotify
Consent to display content from - Spotify
Sound Cloud
Consent to display content from - Sound
Save