Now's the time to review your WISP

Even as tax pros emerge from yet another fall busy season, only to take a breath and prepare for next year, knowing where you stand on data security is a year-round priority. It is at this time, in particular, that you need to give attention to your WISP.

For those still unfamiliar with the concept, a written information security plan is a mandatory, comprehensive document for accountants, CPAs and tax professionals that outlines a firm's strategy to safeguard sensitive client data from unauthorized access, theft or misuse. Moreover, a well-structured WISP is essential for complying with federal and state regulations — such as IRS requirements (Publication 4557) and the Gramm-Leach-Bliley Act — maintaining client trust and upholding professional credibility.

So, if your WISP is even more than a year old, or perhaps whatever security plan you have is scattered across spreadsheets and emails, then it's time for a thorough review. I would even go so far as to say an updated and tested WISP is no longer just a compliance checkbox; it is a core element of effective risk management and business resilience.

5 reasons why last year's WISP may not be enough

1. Legal compliance: For tax professionals, having a WISP is not optional; it's a legal requirement. When renewing your PTIN on IRS Form W-12, Question 11 specifically asks you to confirm that you have a WISP in place. Providing a false response is considered perjury and may lead to serious consequences, including PTIN termination or even revocation of your license.
2. Ransomware and resilience: The threats have evolved and changed. According to a report by Mimecast, the human element is often the primary cause of breaches, and ransomware remains a persistent threat. This underscores the need to prioritize access controls, phishing resilience and regular response rehearsals. Tools alone should not be the focus — your plan must center on people and processes, supported by clear metrics and benchmarks to demonstrate effectiveness.
3. Mandatory breach notification: If you store or process financial data of customers, the Federal Trade Commission Safeguards Rule now requires you to notify the FTC of any breach within 30 days if the breach has affected more than 500 customers. This change should be reflected in your incident-response section and standard operating procedures.
4. New tech, new risks: Your business has changed, too. If you have undergone migration to new SaaS platforms, AI adoption, M&A, new data flows, remote hires or fresh third‑party integrations, all these changes affect your cybersecurity requirements and the nature of potential threats. If the WISP does not reflect today's asset inventory, data classifications and vendor list, it can't guide today's risk-mitigating decisions and policies.
5. Increased expectations: Regulators have raised expectations. NIST Cybersecurity Framework 2.0 has introduced a new governance function and clarified outcomes across risk management, supply chain, and measurement. Even if you don't want to align with NIST CSF, most customers, auditors and cyber insurers align with it now. Updating your WISP to be in sync with CSF 2.0 lends it authenticity and makes it trustworthy.

What should be in your WISP?

Once you've made the move to update your WISP, here are several essential items it should contain and specifically address:

1. Governance and risk management: Start with accountability and clear oversight. Define who in your firm is responsible for it (or who is engaged by it). Whether it's leadership, IT (internal or external), legal or HR, they need to set reporting cadences and escalation thresholds. The WISP should also classify data (public, internal, confidential, regulated) and show how risk assessments shape budgets, controls and exception handling.
2. Information assets and access controls: Your plan must track every asset — endpoints, databases, cloud apps and privileged accounts — and keep this inventory updated. Just as important is access: A phishing-resistant multifactor authentication, and automated joiner/mover/leaver workflows, all reduce risk from both insiders and attackers.
3. Secure operations and technology use: Security should be built into everyday processes, from code reviews and dependency scans to documented change approvals and rollbacks. With new tools like AI and LLMs, your WISP must outline safe usage policies to protect data and avoid unintended exposure. 
4. Third-party oversight and incident response: Vendors handling client data must be vetted, monitored and contractually bound to security standards. Your WISP should also detail how incidents are handled — who decides materiality, how regulators like the FTC are notified within 30 days, and how communication is managed. 
5. Resilience, awareness and continuous improvement: Resilience means tested backups, disaster recovery plans and measurable employee awareness training. A modern WISP tracks security metrics like multifactor authentication adoption and patch compliance, while aligning with standards like ISO 27001 and NIST CSF 2.0 to stay audit-ready.

DIY vs. managed WISP

While some firms try to build and maintain a WISP on their own, this DIY route can be time-consuming and often overlooks evolving regulations or hidden risks. A managed WISP solution, by contrast, brings expert oversight, regular updates and tested playbooks that keep you audit-ready and compliant with IRS and FTC expectations. 

For practices without in-house security expertise, outsourcing WISP management to an experienced, knowledgeable managed service provider can save time, reduce risk and provide confidence that client data is protected to the highest standards.

Protect your organization with a robust WISP

As things hopefully begin to wind down for you this year, right now is the best window to review or construct your WISP. An outdated WISP isn't just a compliance issue, it's a business risk. 

Updating it now ensures you're ready for IRS and FTC requirements, resilient against evolving threats, and positioned to protect the client trust that drives your practice.