Log in
Resources & News

IRS Written Information Security Plan – The Top Security Measures

March 6, 2025
IRS WISP Builder Tool | IRS Written Information Security Plan – The Top Security Measures

Top Security Measures to Include in Your IRS Written Information Security Plan

As a tax and accounting professional, your clients are the lifeline of your business.  The relationship between your clients and your business is built on trust.  Your clients trust that you are doing everything that you can to secure their data and personal information.  This is why you need to take these steps very seriously when creating (and updating) your WISP, or Written Information Security Plan.  Not only does a WISP help you put safeguards and security measures in place, but it is also required by the FTC in order for you to do business.  

If you were setting up a home security system for your house, you would consider every point of entry that a thief could possibly enter.  You would take careful steps to make it as difficult as possible for thieves to enter your home.  You’d most likely have a monitoring system in place, so that if there were a break-in, the correct authorities would be notified as quickly as possible in hopes of minimizing damage.  

The same steps apply when you create a cybersecurity plan for your tax and accounting business, setting up safeguards around your clients’ data and private information.  Consider all points of entry, make it difficult for cyber criminals to enter, and have a swift protocol in place for damage control in case of a data breach.  

The 3 essential security measures to include in your IRS Written Information Security Plan should include encryption, access control, and employee training.   

Encryption keeps a lock on the door. 

Unfortunately, It is rather easy these days for your clients’ information to be accessed by hackers when it’s passed between you and your client.  This is why you need to keep a ‘lock on the door’ so to speak.  Encrypting all confidential information helps keep your client’s data safe in case it’s intercepted.  

Your encryption protocol should be specified in your IRS WISP for all devices used by any employees such as computers, mobile phones and tablets, servers, and anywhere your clients’ information is stored (especially if an employee works remotely).  Also include all of the encryption methods used when transferring information like emails, file sharing, or internal communications.  

When using the editable IRS WISP template in WISP Builder to create your WISP, you can easily lay out all the encryption used in your business communication and devices so that you, your employees, and the IRS know you have a plan for safe storing and transferring your clients’ confidential data.  

Who has access to sensitive information?    

Do you know who has access to the sensitive information passed between you, your clients, and your team?  Mapping out an ‘access control’ protocol in your WISP helps to keep data access limited to those on a need-to-know basis.  This limited access helps reduce the risk of threats both externally and internally.  The fewer people who have access, the less chance of theft.  

Just because an employee has access to a client’s data doesn’t necessarily mean they should have access to all of the information.  Only give access to the minimum necessary to do the job required by each role. 

These employee-specific rules, as well as other security safeguards like multi-factor authentication, strong passwords, and systems to track and monitor activity, will help build a robust Written Information Security Plan.  

 When using the editable IRS WISP template in WISP Builder to create your WISP, you can assign roles for each level of access.  While these security measures are important, the next step is key to putting your security plan into action: training your employees.    

Do your employees know how to prevent or respond to a data breach?

An IRS WISP is only as good as the employees who implement it, which is why it’s required to train all of your employees (including new and temporary staff) on your plan.  Since data threats are always evolving, you will also need to continually offer ongoing training and education to your staff to keep data protection top of mind.  

Training staff should cover: 

  • Awareness of phishing scams and cybersecurity 
  • The WISP and safeguards set in place for your business (and what happens if staff don’t follow these protocols) 
  • How to create strong passwords
  • Why multi-factor authentication is important and utilized
  • What to do in case of a data breach, so that everyone knows in advance who does what and can act quickly to minimize damage.  

WISP Builder includes resources to help you train your employees on your WISP and keep data protection top of mind for all staff.   

More security practices to include in your IRS Written Information Security Plan.

Encryption, access control, and employee training are essential to include in your cybersecurity plan, and there are a few other safeguards you will want to include as well.

Data backup (esp. Air-Gap Backup) adds a layer of protection in case of an IT crash or cybersecurity attack.  It’s important to regularly test this backup plan to make sure it’s working properly.  Antivirus and Antimalware software provides another line of cybersecurity defense as well.  

Just like we mentioned in the employee training plan above, knowing how you will respond to a data breach, if you should face one, can save you from even worse damage.  Stopping cyberattacks as quickly as possible and reporting them to the appropriate authorities (and your customers) efficiently could make all the difference in your cybersecurity plan.  

All of your third party vendors should not only be aware of your company’s WISP, but have their own cybersecurity plan in place, too.  

Once you’ve thought through every electronic entry point, be sure to revisit those physical entry points and create security around them as well.  Surveillance, locking up devices, and potentially keeping some areas ‘restricted’ should be considered, depending on the size and scope of your business.  

Have you updated your IRS Written Information Security Plan lately? 

There is a reason that the IRS requires you to update your WISP annually (or anytime there is a change in staff).  Every update gives you a chance to reassess your cybersecurity plan, consider any new developments in cybersecurity, and ‘tighten the locks’ on your cybersecurity plan.  

The WISP Builder tool makes updates easy, and we remind you annually when it’s time to update your WISP, keeping you compliant.  

 

data breach preventiondo i need a wispirs mandated wispIRS WISPpub 5709written information security plan
Next
Creating an IRS WISP – A Step-by-Step Guide
Privacy Settings
We use cookies to enhance your experience while using our website. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. We also use content and scripts from third parties that may use tracking technologies. You can selectively provide your consent below to allow such third party embeds. For complete information about the cookies we use, data we collect and how we process them, please check our Privacy Policy
Youtube
Consent to display content from - Youtube
Vimeo
Consent to display content from - Vimeo
Google Maps
Consent to display content from - Google
Spotify
Consent to display content from - Spotify
Sound Cloud
Consent to display content from - Sound
Save