Copyright 2026 Breichbilt LLC
A Written Information Security Plan (WISP) is required by federal law for every professional tax preparer — the FTC Safeguards Rule applies to tax and accounting firms of any size, even solo practices. This free fillable Word template covers every required element, following the IRS Publication 5708 format, so you can complete yours in an afternoon instead of starting from a blank page.
Your template is ready — download it below.
Download the WISP Template (Word)We’ll email you occasional practical security and client-experience tips for firms like yours. Unsubscribe anytime.

If your firm prepares tax returns, keeps books, or manages trust and estate records, the Gramm-Leach-Bliley Act treats you as a financial institution — and the FTC Safeguards Rule (16 CFR Part 314) requires you to implement and maintain a written information security plan. There’s no small-firm pass: the IRS reminds preparers that the rule applies “regardless of size,” and the annual PTIN renewal now asks you to confirm your data security responsibilities. If a client, an insurer, or the IRS asks to see your WISP tomorrow, this template is the fastest honest way to have a real answer.
A complete, fillable plan — not an outline you still have to write:
We didn’t summarize a summary. This template was checked line-by-line against the current text of 16 CFR Part 314 and the IRS’s own Pub 5708 sample plan (rev. 8-2024). Every element of § 314.4(a) through (j) — all nine program elements plus the 2023 breach-notification requirement — maps to a numbered section in the document. Where the sample IRS language is looser than the actual rule (like multi-factor authentication, which the rule requires for any system access, not just remote login), the template follows the rule.
Your WISP has to describe how client documents actually move between you and your clients. If the honest answer is “email attachments,” the plan contradicts itself — the Safeguards Rule requires encryption in transit, and a plain email attachment isn’t that.
The template’s Electronic Exchange section is written for a portal-first practice: files exchanged through a secure client portal that encrypts in transit and at rest, authenticates the recipient, and logs access. That’s the part Zapa handles — a portal simple enough that clients of any age actually use it, with unlimited users and no per-seat fees.
Yes. The FTC Safeguards Rule applies to professional tax preparers as financial institutions regardless of size. Some elements (like penetration testing and the annual written report) are only required once you hold information on 5,000 or more consumers, but the written plan itself is required for everyone. This template includes the full set, so you don’t outgrow it.
It follows the same outline and includes all six of Pub 5708’s sample attachments, updated where the FTC’s actual rule text is stricter than the 2024 sample language (for example, MFA scope) and extended with fiduciary and trust/estate specifics.
Firm name, your Data Security Coordinator and Public Information Officer, your data inventory and retention periods, your service providers, and the bracketed choices in each policy. The highlighted fields make them easy to find. Most firms finish in one sitting.
No template can do that — compliance is the program you actually run: doing the risk assessment, training staff, testing safeguards, and keeping the acknowledgments on file. The template builds that documentation trail for you, but you have to live it. It’s a starting point, not legal advice.
Yes — the rule requires a designated “qualified individual,” and in a solo practice that’s you. The template’s designation section handles the solo case and the outsourced-IT case.
You get the Word document immediately on this page. We’ll also send occasional practical tips on data security and client document collection. No spam, unsubscribe anytime.
This template is provided as general information for tax, accounting, and fiduciary practices, based on IRS Publication 5708 and the FTC Safeguards Rule (16 CFR Part 314). It is not legal advice. Adapt it to your firm’s actual operations; state privacy and breach-notification laws may add requirements.