Written Information Security Plans are essential for tax pros
June 16, 2026
from the IRS
A Written Information Security Plan – or WISP – is just one tool for tax professionals to protect their client’s data, and it’s required by law. The IRS and the Security Summit partners have created an easy sample guide that tax pros can use when making their own WISP. The Security Summit is a public-private partnership made up of representatives from the IRS, state tax administrators, tax software companies, tax professionals, and the larger tax community that helps protect taxpayers from identity theft.
Create a WISP
A WISP protects client information most effectively when tailored to the size, scope, complexity and sensitivity of the customer data it handles. A WISP should focus on:
- Employee training and management
- Information systems
- Detecting and managing system failures
WISP requirements
As a part of their security plan, each tax professional needs to:
- Designate one or more employees to coordinate its information security program
- Evaluate the effectiveness of the current safeguards for controlling those risks
- Identify and assess risks to customer information in each relevant area of the company's operation
- Design and implement a safeguards program and regularly monitor and test it
- Contract a service provider that maintains safeguards and handling of customer information
Maintain and update
The best plans require maintenance and assessment. Here are some tips to keep a WISP updated and relevant:
- Once completed, keep the plan in an easy-to-read format such as a PDF or Word document
- Store a digital copy, in the event of a natural disaster or emergency
- Regularly review and update any security plan, along with adjusting the plan to accommodate changes to the size, scope and complexity of a tax professional’s business
- It is also recommended to create a data theft response plan and report any ID theft