The IRS WISP Template for Solo and Small CPA Firms (12 Pages, Not 60)

Every paid tax preparer in the United States is required to maintain a Written Information Security Plan. That requirement has been in IRS Publication 4557 since 2008, reinforced in Publication 5708 in 2022, extended through the FTC Safeguards Rule amendments that took effect in 2023, and layered with a professional-standards obligation through AICPA SSTS Section 1.3 effective January 1, 2024.

Most firms do not have a current WISP. Of those that do, most bought a sixty-page template, filled in the cover page, and have not looked at it since. That document is not a WISP. It is a binder.

This guide is for the firm that wants the working version. Twelve pages, defensible against an IRS examiner, an FTC investigator, a state attorney general, or a cyber insurance carrier. We walk through who is in scope, what the regulators require, the twelve-page outline section by section, and where firms most commonly fail.

A note up front: we operate the technical safeguards side. We are not your Qualified Individual and we are not your tax counsel. The principal of the firm remains the accountable owner of the WISP.

Who actually has to have a WISP

The WISP requirement reaches further than most preparers realize.

• Any preparer with a PTIN. IRS Publication 4557 imposed the requirement in 2008; Publication 5708 reinforced it in 2022. No firm-size threshold, no revenue threshold. A solo EA preparing 80 returns a year is in scope.
• All CPA firms providing tax services. The FTC Safeguards Rule classifies tax preparers and accountants as financial institutions under the Gramm-Leach-Bliley Act (GLBA). The Safeguards Rule's Information Security Program — functionally a WISP plus operational evidence — is a federal requirement, separate from and additive to Pub 4557.
• Multi-partner firms, single-shingle CPAs, EAs, and registered tax return preparers. Same requirement, same scope.
• AICPA members. SSTS Section 1.3, effective January 1, 2024, adds an explicit professional-standards obligation to protect client confidential information.

What the IRS and FTC actually require

Read together, IRS Publication 4557, Publication 5708, and FTC Safeguards Rule § 314.4 require a small CPA firm to do twelve specific things.

1. Designate a Qualified Individual responsible for the program. § 314.4(a).
2. Maintain a written risk assessment, updated on material change. § 314.4(b).
3. Document administrative, physical, and technical safeguards addressing identified risks.
4. Oversee service providers. § 314.4(f). Inventory and contractually bind every vendor with access to customer information.
5. Maintain a written incident response plan. § 314.4(h).
6. Review and update the WISP annually and on material change.
7. Train employees with access to customer information. § 314.4(e).
8. Enforce multi-factor authentication on systems with access to customer information. § 314.4(c)(5).
9. Encrypt customer information at rest and in transit. § 314.4(c)(3).
10. Monitor and test safeguards regularly — continuous monitoring, or annual penetration testing plus biannual vulnerability assessments. § 314.4(d).
11. Securely dispose of customer information no longer needed. § 314.4(c)(6).
12. Retain program records for at least five years.

A defensible WISP is the document demonstrating each obligation is being met. Twelve obligations, twelve pages — how the outline below is organized.

The 12-page WISP outline

Each page below corresponds to one section. Each is structured so an IRS examiner or FTC investigator can read it in five minutes and understand what the firm does, who is accountable, and where the evidence lives.

Page 1 — Cover and scope statement

• Firm legal name, EIN, primary PTIN
• Effective date, version number, next scheduled review date
• Qualified Individual: name and title; approver: managing partner or principal
• One-paragraph scope: who the plan covers (partners, employees, contractors with access to customer information), what data it covers (taxpayer information per IRC § 7216 plus customer information per the FTC Safeguards Rule), and jurisdictions of operation

Page 2 — Risk assessment summary

Not the full risk assessment — that is a separate working document. This page is the summary register: five to seven concrete risks with a likelihood × impact rating, an owner, the current control, and the residual risk. Typical risks for a small CPA firm:

• Phishing leading to email account takeover
• Ransomware via endpoint compromise
• Business email compromise (wire fraud, fraudulent return reroute)
• Lost or stolen laptop
• Vendor compromise (tax software, client portal, cloud storage)
• Insider error or malicious insider
• Physical theft of paper records

Page 3 — Designated roles

• Qualified Individual — FTC § 314.4(a) requirement, named by title and individual
• Privacy / Security Officer — often the same person at small firms; called out separately for clarity
• Incident response team — principal, Qualified Individual, outside breach counsel, IT / MDR provider, cyber insurance broker, IRS Stakeholder Liaison contact
• Backup designees — at minimum a backup Qualified Individual so the program does not die when one person is on PTO

Page 4 — Administrative safeguards

• Hiring and background-check process for staff with customer-information access
• Security awareness training cadence (annual minimum, plus phishing simulations)
• Access provisioning on hire, revocation on offboarding (target: within one business day)
• Acceptable use policy reference (separate document)
• Annual confidentiality acknowledgement from every staff member and contractor

Page 5 — Physical safeguards

• Office access controls and after-hours arrangements
• Locked cabinets for documents, especially during tax season pile-up
• Mobile device and laptop physical security
• Visitor sign-in, escort, no unattended access to work areas
• Disposal procedures — cross-cut shredding, certified hard-drive destruction with certificates retained

Page 6 — Technical safeguards: identity

• MFA on every email mailbox, remote access path, tax software, client portal, and privileged admin account. § 314.4(c)(5).
• Password policy: length over complexity, firm password manager, no shared logins
• Account provisioning and deprovisioning workflow, evidence retained
• Privileged access management — global admin separated from day-to-day accounts
• Conditional access on Microsoft 365 where applicable

Page 7 — Technical safeguards: endpoint and data

• EDR or managed detection and response on every workstation, laptop, and server — including the partner's home machine if it touches client data
• Encryption at rest (BitLocker, FileVault) on every device storing customer information. § 314.4(c)(3).
• Encryption in transit (TLS 1.2+) for email, portals, file transfer
• Backup architecture: 3-2-1 with at least one immutable or off-site copy
• Tested restore — at least one full restore per year, documented
• Patch management cadence for operating systems, browsers, tax software, plugins

Page 8 — Technical safeguards: email and network

• DMARC, SPF, and DKIM configured on the firm's sending domain
• Inbound link protection and attachment sandboxing
• Network segmentation where applicable; guest Wi-Fi isolated
• Wireless security — WPA2 or WPA3, no shared "office" SSID
• Remote access via VPN with MFA or a zero-trust browser, never plain RDP exposed to the internet
• Managed identity threat detection and response for the Microsoft 365 or Google Workspace tenant

Page 9 — Vendor management

The page most often missing or stale. FTC § 314.4(f) explicitly requires service provider oversight. Maintain a vendor inventory with, for each entry:

• Vendor name and what they do
• Categories of customer information they can access
• Contract reference, including data protection clauses
• Breach notification obligations (target: 72 hours or less to your firm)
• Last review date

Vendors a small CPA firm typically addresses: Lacerte, Drake, ProSeries, UltraTax, or CCH Axcess; DocuSign or Adobe Sign; SmartVault, ShareFile, or TaxDome; QuickBooks Online, Xero, or Sage; OneDrive, Google Drive, Dropbox; payroll (Gusto, ADP, Paychex); IT and security providers.

Page 10 — Incident response plan

• Detection sources. MDR alerts, SIEM telemetry, user reports, vendor and bank notifications.
• First-hour playbook. Isolate endpoints, revoke compromised credentials, preserve evidence, notify the Qualified Individual.
• Notification timing. State breach laws, IRC § 7216 disclosure considerations, client notification timing.
• IRS Stakeholder Liaison contact for the firm's region, preloaded not looked up during an incident.
• Cyber insurance carrier notification — usually 24 to 72 hours, often a coverage condition. See cyber insurance readiness.
• Post-incident review within 30 days, written, retained five years.

Page 11 — Training and awareness

• Annual topics: phishing, business email compromise, social engineering, ransomware, secure data handling, IRS-specific tax-pro scams during filing season
• Phishing simulation cadence — at least quarterly
• Completion tracking and retention with names, dates, content, retained five years
• New-hire training within 30 days of access being granted
• Refresher cadence for staff who fail a simulation or report an incident
• Managed security awareness training with delivery and tracking handled, so the page is backed by evidence not promises

Page 12 — Annual review and acknowledgements

• Review date, reviewer, summary of material changes since the last review
• Annual report from the Qualified Individual to the principal or partnership, as required by FTC § 314.4(i)
• Tabletop exercise notes — at least one scripted incident walkthrough per year
• Employee acknowledgement form — every staff member signs annually
• Signature block — Qualified Individual and managing partner / principal

That is the entire plan. Twelve pages of substance, plus whatever appendices (acceptable use, vendor list, training records) the firm wants to attach.

What the plan does not need to be

The plans we see fail in a small number of consistent ways.

• It does not need to be sixty pages of definitions copy-pasted from the FTC Safeguards Rule. Regulators do not give credit for length.
• It does not need to be a vendor's branded template. The $500 template is fine as a starting outline, but it is not a defensible plan until customized.
• It does not need to be perfectly polished. It needs to be accurate, current, and actually followed.
• It does not need to address controls you do not operate. No on-premises server? Skip the server-room pages.

The annual review is not optional

Publication 5708 expects review periodically and on material change. FTC § 314.4(i) independently requires the Qualified Individual to produce a written report to the firm's governing body or principal at least annually — covering program status, compliance, risk assessment updates, testing results, security events and management's response, and recommendations for changes.

Most firms do not do this until an incident or insurance renewal forces it. Underwriters are increasingly asking to see the annual report itself, not just a checkbox.

Common failure modes

After auditing dozens of small firm WISPs, the same failures repeat:

• The plan names a Qualified Individual who does not know they are the Qualified Individual
• The plan still names tax software the firm replaced two years ago
• The vendor list is missing the cloud storage, e-signature, or client portal added since the last review
• Training records are claimed but no log can be produced
• The backup restore test is described but never scheduled
• The incident response plan still lists the IT person who left in 2023
• The annual Qualified Individual report has never been written

None of these are sophisticated failures. They are documentation drift. The fix is operational: a single calendar item, one hour, once a year, with the right people in the room.

Where Obsidian Ridge fits

We do not write the WISP for you. That sits with your Qualified Individual or your outside counsel — the plan must reflect the firm's actual operations, not a provider's assumptions.

What we operate is the technical safeguards layer the WISP describes. Managed detection and response on every endpoint. Managed identity threat detection and response for the Microsoft 365 or Google Workspace tenant where taxpayer email lives. Managed security awareness training with completion tracking that produces the evidence Page 11 claims. Managed SIEM so the incident response plan on Page 10 has detection telemetry behind it.

We package that evidence the way an IRS examiner, an FTC investigator, or a cyber insurance carrier wants to see it: MFA enforcement reports, MDR coverage records, training completion logs, encryption attestation, and vendor agreements with breach notification language. When you get to the cyber insurance readiness renewal, the same evidence is what the underwriter is asking for. Our accounting industry page covers the operational specifics of tax season threat patterns and IRS-specific scams.

The right next step

Pull your current WISP — or admit you do not have one. Block a sixty-minute working session this week. Walk the document, or its absence, against the twelve-page outline above. Identify the three to five gaps that matter most. Fix those this month. Schedule the annual review.

The WISP is supposed to be a working document, not a deliverable. The IRS examiner, the FTC investigator, the state attorney general, and the cyber underwriter all care about the same question: is the plan real, and is it operating. Twelve pages of accurate, current, followed plan beats sixty pages of binder every time.

If you want a working session walked by a CISSP, start with the briefing. We will pull your current plan against this outline, identify the gaps that matter, and tell you which are operational fixes versus technical safeguard work we can run.