Back to Blog
Compliance 8 min readApril 2, 2026

How to Create a Written Information Security Plan (WISP) for Your Accounting Firm

IRS Publication 4557 requires tax professionals to have a WISP. Here's a practical guide to creating one.

What Is a WISP?

A Written Information Security Plan (WISP) is a document that describes how your firm protects client data. IRS Publication 4557 requires all tax professionals to have one.

Think of it as a written commitment to your clients and the IRS that you take data security seriously — and here's exactly how you do it.

What Must Be Included?

The IRS and FTC Safeguards Rule require these sections:

1. Employee Management and Training

  • Who has access to client data?
  • What training do they receive on data security?
  • What happens when an employee leaves? (access revocation)

    • 2. Information Systems

  • What software and hardware do you use?
  • How is data stored and backed up?
  • What third-party services have access to client data? (This includes your client portal, email provider, cloud storage, accounting software)

    • 3. Detecting and Managing System Failures

  • How do you monitor for unauthorized access?
  • What is your incident response plan?
  • Who do you notify in case of a breach?

    • 4. Physical Security

  • Where are computers and paper files stored?
  • Who has physical access to your office?
  • How do you dispose of old hardware and paper records?

    • 5. Protecting Data in Transit

  • How is data sent to and from clients?
  • What encryption is used?
  • Are USB drives and portable devices encrypted?

    • Including Your Client Portal in Your WISP

    If you use a client portal like Veniara, document it in the "Information Systems" and "Protecting Data in Transit" sections:

    Service provider: Veniara Inc. Data stored: Client documents, messages, invoices, questionnaire responses Encryption: AES-256 at rest, TLS 1.3 in transit Access controls: Row-Level Security, per-organization isolation, MFA support Data residency: United States (AWS infrastructure) Audit logging: All access logged with timestamps and IP addresses Incident response: 72-hour breach notification commitment DPA: Data Processing Agreement available upon request

    Getting Started

  • Download the WISP template from IRS.gov
  • Customize it for your firm's specific tools and processes
  • Include all third-party service providers
  • Review annually and update when anything changes
  • Train all employees on the plan

    • We also provide a compliance resources page with specific WISP language for firms using Veniara.

    Don't Overthink It

    A WISP doesn't need to be 50 pages. For a solo practitioner, 5-10 pages covering the required sections is sufficient. The key is that it exists, it's specific to your firm, and you actually follow it.

    Ready to modernize your client experience?

    Set up Veniara in under 30 minutes. Free for up to 3 clients.

    Start Free Trial

    More from the blog

    IRC 7216 Consent Requirements: What Every Accountant Needs to Know

    6 min read · Compliance

    Client Portal vs Email: Why Accounting Firms Are Making the Switch

    5 min read · Practice Management

    How to Reduce Client Onboarding Time from Days to Minutes

    5 min read · Practice Management