Why Every Tax Preparer Needs a Written Information Security Plan (WISP)

Jun 11, 2026

Imagine a staff member clicks a link in what looks like a legitimate email and unknowingly hands over login credentials. This is extremely common and happens to experienced preparers who are simply moving fast during a busy season. Now, you have a breach and no documented process for handling it. That gap is exactly what a Written Information Security Plan (WISP) is designed to close.

A WISP outlines how your office handles, stores, and protects client data. It covers who’s responsible for security, how you safeguard your systems, and what your team does if something goes wrong. The IRS requires you to confirm you have one in place during PTIN renewal, and the FTC Safeguards Rule makes it a legal obligation under the Gramm-Leach-Bliley Act.

Here’s what you need to know about putting a WISP to work for your firm

Why Tax Preparers Face Higher Security Risks

Tax offices hold a large amount of personal and financial data in one place. That makes you a natural target for phishing and identity theft. Even a small office can attract the wrong kind of attention because criminals know the value of taxpayer information.

Some risks come from outside your office. Others come from routine internal issues, such as weak passwords or staff who can access more than they need. A WISP complemented by business tax software can help you identify those weak points before they cause damage.

Why EFIN Holders Need to Take This Seriously

Having an EFIN increases your responsibility and exposure. The IRS expects electronic return originators to protect taxpayer data carefully. A WISP is how you demonstrate that your office takes that seriously.

But this is not about checking a box. Because if your office ever faces a breach or a client complaint, you want that written plan to speak for you. It shows you built a system around your obligations and thought through the risks before they became problems.

That system should cover who has access to client files and how your office responds if something looks wrong. With those steps written down, your office becomes harder to fault and easier to run consistently.

What a WISP Should Cover

A useful WISP should reflect how your office works. It should be specific enough to guide action but simple enough for your team to follow without confusion.

Most WISPs should address:

  • How your office collects, stores, and transmits client information
  • Who can access different types of data, and why
  • How you protect devices, passwords, networks, and software
  • How you train staff on security procedures
  • What you do if you suspect a breach or data loss

These areas work together rather than independently. Strong access controls mean little if your team hasn’t been trained on them. Clear breach procedures only help if staff know where to find them.

A generic document that sits in a folder doesn’t do much for you. A practical WISP should connect directly to your daily workflow.

How to Make Your WISP Useful Instead of Decorative

A WISP only works if your office actually uses it. Here are a few ways to make sure it holds up in practice.

Review It Regularly

Your office adds staff, changes software, and shifts workflows. When those things happen, your WISP needs to keep up. Regularly revisiting it helps you stay ahead of gaps before they become problems.

Train Your Team

A policy your team has never read offers little protection. Your newest hire is most likely your biggest vulnerability. Make sure everyone understands the plan and what it expects from them.

Assign Clear Ownership

Who is responsible for keeping this up to date? Assigning a security coordinator gives the plan an owner and ensures updates happen.

How Professional Tax Software Supports Your WISP

Although your WISP defines the rules, your software makes them easier to follow consistently.

IRS-approved tax software for tax preparers helps support your security plan by keeping sensitive data inside a controlled environment. With features like secure document storage and e-signatures, tax software helps you enforce the rules your WISP sets without relying solely on manual checks or good habits.

Software also handles encrypted communication between your office and clients, which is important when sharing tax documents. These are the tools that turn your WISP from a written commitment into something your office runs on.

What This Means for Trust and Stability

Tax clients expect your office to handle their data with care. Although they may never ask how, they are paying attention to how organized and reliable your office feels. Reflect that in your practice by pairing your WISP with the right software and a team that knows the plan.

With that in place, you reduce your exposure and meet the standards the IRS and FTC expect. It also positions you as the kind of office clients refer others to. A WISP will not eliminate every risk, but it demonstrates that your office takes its responsibilities seriously, and that is something both regulators and clients notice.

Related Posts