What must a tax preparer WISP include?

A WISP must include: identification of all taxpayer PII collected and processed (SSNs, EINs, W-2s, bank account data), a designated security coordinator, a risk assessment of each area where taxpayer data is handled, specific safeguards (administrative, technical, physical), employee training requirements, incident response procedures, and a schedule for annual review and updates.

How often must a tax preparer update their WISP?

At least annually, and whenever there are significant changes to the firm — new software, staff changes, office moves, or after a security incident. The WISP should have a stated review date and be signed by the firm owner or responsible individual. The IRS expects the document to reflect the firm's current operations, not a template from three years ago.

April 8, 2026|7 min read

IRS Publication 4557 WISP Requirements: What Tax Preparers Must Have in Writing

Q: Is a WISP legally required for tax preparers?

Yes. The FTC Safeguards Rule (16 CFR 314) legally requires all financial institutions — including tax preparers — to develop, implement, and maintain a comprehensive written information security program. IRS Publication 4557 provides specific guidance for tax preparers on what that program should cover. The IRS can revoke PTINs and refer firms to the FTC for enforcement if no WISP exists.

Every tax preparer who handles taxpayer data is legally required to have a Written Information Security Plan. This isn't optional guidance — it's a requirement under the FTC Safeguards Rule, and IRS Publication 4557 spells out exactly what the IRS expects to see.

Most small firms either don't have a WISP or have a template they downloaded years ago and never updated. Both put you at risk. Here's what needs to be in it.

The legal basis

Tax preparers are "financial institutions" under the Gramm-Leach-Bliley Act. That means you're subject to the FTC Safeguards Rule (16 CFR 314), which requires a written information security program. IRS Publication 4557 translates that requirement into practical guidance for tax professionals.

The IRS takes this seriously. They can revoke PTINs, refer cases to the FTC for enforcement, and publicly disclose data security failures. After the wave of tax-related identity theft in 2015-2020, enforcement ramped up.

What the WISP must cover

1. Identify all taxpayer PII you handle

Document every type of taxpayer data your firm collects and processes: Social Security numbers, Employer Identification Numbers, W-2 data, 1099 data, bank account and routing numbers, prior year returns, financial statements. Be specific — list the actual data elements, not just "taxpayer information."

2. Designate a security coordinator

The 2023 Safeguards Rule amendments require a "qualified individual" responsible for the security program. In a solo practice, that's you. In a firm, designate someone by name and title. This person is accountable for implementation and oversight.

3. Conduct a risk assessment

Identify where taxpayer data lives — computers, servers, cloud storage, email, paper files, portable devices. For each location, assess: what could go wrong, how likely is it, and what would happen if it did. Document the assessment and the decisions you made based on it.

4. Administrative safeguards

Background checks for employees with access to taxpayer data
Separation of duties where possible
Annual cybersecurity training for all staff
Clean desk policy for paper files containing PII
Procedures for employee termination (access revocation, key/badge return)

5. Technical safeguards

Strong passwords and multi-factor authentication on all systems
Encryption for taxpayer data at rest and in transit
Firewall and antivirus/endpoint protection
Automatic screen lock after inactivity
Regular software updates and patching
Secure disposal of old computers and hard drives

6. Physical safeguards

Locked office or file room for paper records
Visitor sign-in procedures
Secure destruction (shredding) of paper documents with PII
Laptop security (cable locks, encrypted drives)

7. Incident response plan

What happens if you discover a breach. Who to notify (IRS, state AG, affected taxpayers), how quickly, and what steps to take. The plan should include contact information for your IT support, the IRS identity theft hotline, and your state's breach notification office.

8. Annual review schedule

The WISP must have a stated review date. Update it at least annually and after any significant change — new software, staff changes, office relocation, or a security incident. Date it, sign it, and keep prior versions.

Common mistakes

Using a generic template without customizing it. The IRS can tell when a WISP lists safeguards the firm doesn't actually have. If your WISP says you have a firewall but you're working from a home WiFi network with default settings, that's worse than having no WISP at all.

Never updating it. A WISP from 2019 that references Windows 7 and doesn't mention cloud storage is useless. It needs to reflect how your firm operates today.

Not training staff. The WISP can say "all employees receive annual security training" but if nobody can point to when that happened, the document is performative.

How BlackSheep helps

BlackSheep includes IRS Publication 4557 and the FTC Safeguards Rule as built-in frameworks. Pre-built policy templates, risk assessment workflows, training tracking, and vendor management — everything the WISP requires, documented and audit-ready. $249/month.

Build your WISP the right way

IRS 4557 and FTC Safeguards Rule frameworks included. $249/mo.

Start Free Trial