Free template — no credit card, just your email

The WISP Template Your Firm Is Required to Have

A Written Information Security Plan (WISP) is required by federal law for every professional tax preparer — the FTC Safeguards Rule applies to tax and accounting firms of any size, even solo practices. This free fillable Word template covers every required element, following the IRS Publication 5708 format, so you can complete yours in an afternoon instead of starting from a blank page.

Your template is ready — download it below.

Download the WISP Template (Word)
Oops! Something went wrong while submitting the form.

We’ll email you occasional practical security and client-experience tips for firms like yours. Unsubscribe anytime.

Fillable Written Information Security Plan (WISP) Word template with highlighted fill-in fields
10/10
required FTC Safeguards Rule elements covered — § 314.4(a) through (j)
6/6
IRS Pub 5708 attachments included, from retention policy to access roster
30 days
the FTC breach-reporting deadline your plan needs to name — it’s in there

Who needs a WISP? (Short answer: you)

If your firm prepares tax returns, keeps books, or manages trust and estate records, the Gramm-Leach-Bliley Act treats you as a financial institution — and the FTC Safeguards Rule (16 CFR Part 314) requires you to implement and maintain a written information security plan. There’s no small-firm pass: the IRS reminds preparers that the rule applies “regardless of size,” and the annual PTIN renewal now asks you to confirm your data security responsibilities. If a client, an insurer, or the IRS asks to see your WISP tomorrow, this template is the fastest honest way to have a real answer.

What’s inside the template

A complete, fillable plan — not an outline you still have to write:

Every required program element of the FTC Safeguards Rule: qualified individual designation, written risk assessment, access controls, encryption, MFA, disposal, change management, monitoring, service provider oversight, employee training, incident response, and the annual report
The full IRS Pub 5708 structure, including all six attachments: record retention policy, employee rules of behavior, breach procedures with a notification contact table, employee acknowledgment form, hardware inventory, and the authorized-access roster
Tax-practice specifics generic templates miss: IRS Stakeholder Liaison notification, the EFIN activity check after a suspected breach, IRC § 7216 disclosure consent, and the FTC’s 30-day breach reporting rule
Highlighted fill-in fields — replace the brackets, delete what doesn’t apply, sign, done

Verified against the actual rules

We didn’t summarize a summary. This template was checked line-by-line against the current text of 16 CFR Part 314 and the IRS’s own Pub 5708 sample plan (rev. 8-2024). Every element of § 314.4(a) through (j) — all nine program elements plus the 2023 breach-notification requirement — maps to a numbered section in the document. Where the sample IRS language is looser than the actual rule (like multi-factor authentication, which the rule requires for any system access, not just remote login), the template follows the rule.

The one section most WISPs get wrong

Your WISP has to describe how client documents actually move between you and your clients. If the honest answer is “email attachments,” the plan contradicts itself — the Safeguards Rule requires encryption in transit, and a plain email attachment isn’t that.

The template’s Electronic Exchange section is written for a portal-first practice: files exchanged through a secure client portal that encrypts in transit and at rest, authenticates the recipient, and logs access. That’s the part Zapa handles — a portal simple enough that clients of any age actually use it, with unlimited users and no per-seat fees.

Frequently asked questions

Is a WISP really mandatory for a small tax practice?

Yes. The FTC Safeguards Rule applies to professional tax preparers as financial institutions regardless of size. Some elements (like penetration testing and the annual written report) are only required once you hold information on 5,000 or more consumers, but the written plan itself is required for everyone. This template includes the full set, so you don’t outgrow it.

Is this the same as the IRS template in Publication 5708?

It follows the same outline and includes all six of Pub 5708’s sample attachments, updated where the FTC’s actual rule text is stricter than the 2024 sample language (for example, MFA scope) and extended with fiduciary and trust/estate specifics.

What do I have to fill in?

Firm name, your Data Security Coordinator and Public Information Officer, your data inventory and retention periods, your service providers, and the bracketed choices in each policy. The highlighted fields make them easy to find. Most firms finish in one sitting.

Does downloading this make my firm compliant?

No template can do that — compliance is the program you actually run: doing the risk assessment, training staff, testing safeguards, and keeping the acknowledgments on file. The template builds that documentation trail for you, but you have to live it. It’s a starting point, not legal advice.

Do I need to name a security officer even as a solo preparer?

Yes — the rule requires a designated “qualified individual,” and in a solo practice that’s you. The template’s designation section handles the solo case and the outsourced-IT case.

What happens after I enter my email?

You get the Word document immediately on this page. We’ll also send occasional practical tips on data security and client document collection. No spam, unsubscribe anytime.

This template is provided as general information for tax, accounting, and fiduciary practices, based on IRS Publication 5708 and the FTC Safeguards Rule (16 CFR Part 314). It is not legal advice. Adapt it to your firm’s actual operations; state privacy and breach-notification laws may add requirements.