IRS WISP Builder Tool | Why Does the IRS Require a WISP? Protecting PII and Staying Compliant
Demo
Log in
Resources & News

Why Does the IRS Require a WISP? Protecting PII and Staying Compliant

January 15, 2026
IRS WISP Builder Tool | Why Does the IRS Require a WISP? Protecting PII and Staying Compliant

Why Does the IRS Require Firms That Handle PII to Have a WISP?

“What’s our cybersecurity plan?” – is a question that most firms’ employees don’t think about until it’s too late.   

Suppose a small accounting firm’s employee calls a colleague in a panic after realizing a staff laptop had been stolen from a car overnight. There were no malware alerts or suspicious logins. It was just a missing device, but it contained loads of client data from Social Security numbers to tax returns and bank information.  “What is our plan?!” 

The IRS requires a Written Information Security Plan (or WISP) which helps firms not only avoid situations like these, but gives employees the confidence in how to respond calmly and quickly, if client data were to be accessed from the outside.  

What is an IRS WISP?

An IRS WISP is a Written Information Security Plan that lays out exactly how a firm plans to protect confidential client data.  A WISP is actually required by the Gramm-Leach-Bliley Act (GLBA) and the Federal Trade Commission Financial Privacy and Safeguards Rule for tax professionals to even be able to do business.  

Simply put, your IRS WISP is your firm’s playbook to help prevent your client’s data from being accessed by cybercriminals. It also maps out roles and quick action steps for the firm to take if something were to go wrong and allows you to prove compliance to the IRS if investigated in a cybercrime or an audit.  

Why the IRS cares about cybersecurity

Anyone who handles private information for the public like social security numbers or bank accounts are key targets for cybercriminals.  This includes tax and accounting firms, insurance agencies, payroll companies, and anyone handling or storing this level of client data.  

The personal information (PII) that you have access to is often stored across multiple systems. It only takes a weak password, unencrypted email, or untrained employee to give unauthorized access and cause a data breach.

In the case of an audit or a data breach, the IRS doesn’t expect perfection – they know that these cybercrimes happen.  But, the IRS does expect planning and readiness.  And a WISP proves that you have taken the steps to be prepared.

What should be included in a Written Information Security Plan?

A Written Information Security Plan should be thorough and follow the guidelines provided by the IRS including: 

  • Administrative best practices and safeguards: Policies and procedures in how your team is expected to manage client data
  • Risk evaluation: Identifying weak spots in where and how client data is shared and stored, and a plan to improve these weaker areas. 
  • Cybersecurity measures: Password creation and storage, encryption, authorized access, and secure systems 
  • Physical safeguards: Office security, storage, and procedures for lost or stolen equipment
  • Data breach response plan: Clear steps that all employees are aware of in case of a data breach, so that action steps are taken quickly 
  • Ongoing monitoring: All pieces of the security plan should be regularly monitored and tested to be proactive in spotting weak points before it’s too late

Most importantly, your IRS WISP should be created specifically with your firm, and how it operates, in mind.  A generic template that lives in a forgotten desk drawer won’t cut it with today’s ever-strengthening cybercriminals.  Be specific and diligent in creating a plan that covers all the bases, train your staff so they are ready to take action, and stay on top of WISP updates.  WISP Builder helps lay out all of the details to include, so you don’t miss a thing.   

Is an IRS WISP a one-time-only task?

No, it is not.  This is where many firms go wrong – by skipping the mandated annual updates.  

A Written Information Security Plan is required to be updated at least annually, and even more often if there is a change in software, staff, or new risks arise. Cybercriminals and their threats are constantly changing and growing stronger which is why your security plan needs to actively evolve too.  WISP Builder has built-in reminders to help you keep your plan up to date and it makes maintenance and staff training easy.  

A WISP is more than compliance

Yes, an IRS WISP is required to be compliant with the FTC and the IRS, but the payoff is much bigger.  A client’s trust is needed to run your firm far into the future – and a solid security plan protects your clients’ data and your reputation.  

When you have a solid plan in place for your firm and your employees, your staff won’t frantically be asking “What’s our plan?” in a threatening situation – they will know how to help prevent it in the first place and exactly what to do if a breach were to happen. 

CPA Data SecurityData Security MandateFTC Safeguards RuleIRS audit readinessIRS WISP RequirementPII ProtectionProtecting Client DataTax Firm ComplianceTax Preparer Regulationswritten information security plan
Previous
WISP Audit Checklist: Essential Documents for Compliance
Next
NY SHIELD Act vs. FTC Safeguards: What New York Firms Need to Know
Trustpilot