IRS Mandates Annual Written Information Security Procedures (WISP) for All PTIN Holders
IRS Mandates Annual WISP Compliance for PTIN Holders: Secure Your Practice Today
As a professional tax preparer with a PTIN, safeguarding your clients’ sensitive information isn’t just a best practice—it’s now an IRS requirement. The agency has mandated that all PTIN holders establish and maintain Annual Written Information Security Procedures (WISP) to protect confidential data from cyber threats, identity theft, and unauthorized access.
Why WISP Matters:
Stay Compliant: Avoid penalties and maintain good standing with the IRS.
Protect Client Data: Strengthen data security to prevent costly breaches and identity theft.
Build Trust: Demonstrate your commitment to safeguarding personal and financial information.
Get Started with WISP
We specialize in helping PTIN holders navigate the annual WISP mandate. From drafting customized security policies to implementing best-in-class cybersecurity protocols, our experts ensure you’re fully compliant—so you can focus on providing top-notch tax services.
Ready to Secure Your Practice?
Stay ahead of evolving IRS regulations with a comprehensive Written
Information Security Plan tailored to your needs. Contact us today to
learn how we can help you meet IRS requirements and protect what matters most:
your clients.
Welcome to Your Guide for IRS-Mandated Written Data Security Procedures (WISP)
Annual WISP Requirements: Protect Client Data and Comply with IRS Regulations
The IRS now mandates that all PTIN holders, Tax Preparers, and EROs implement an annual Written Information Security Procedures (WISP). This crucial measure ensures your business meets federal compliance standards while safeguarding sensitive client information. A documented WISP reinforces your commitment to protecting Personally Identifiable Information (PII), solidifying trust with clients and regulators alike.
Why Must the WISP Be Written?
A written WISP outlines clear, actionable steps for maintaining data security. By formally documenting protocols, your firm:
- Ensures every employee understands their responsibilities
- Demonstrates compliance in the event of an IRS audit
- Establishes a consistent, repeatable approach to cybersecurity
Do All Employees Need to Sign the WISP?
Absolutely. Every team member must review and sign the WISP to confirm they understand and will follow established security practices. This collective commitment ensures:
- Unified compliance with IRS regulations
- Accountability for safeguarding sensitive data
- Regular updates to keep pace with evolving security threats
Key Roles in Implementing a WISP
Data Security Coordinator (DSC)
The DSC spearheads the creation, implementation, and maintenance of the WISP. Responsibilities include:
- Conducting risk assessments
- Ensuring ongoing compliance with data security standards
- Coordinating employee training and awareness
Public Information Officer (PIO)
The PIO handles communication about your organization’s data security policies:
- Maintains transparency with clients regarding how their data is protected
- Addresses concerns or inquiries about data breaches and security incidents
Personally Identifiable Information (PII)
Your WISP must identify and secure all PII collected and handled, including:
- Social Security Numbers
- Financial details
- Contact information (addresses, phone numbers, email)
By proactively detailing how PII is stored, accessed, and protected, you demonstrate a robust commitment to client privacy and IRS compliance.
Stay Compliant and Protect Your Clients
Meeting the annual WISP requirement is more than a
regulatory obligation—it’s an integral part of running a
secure and reputable tax practice. Make sure your written WISP is
comprehensive, up-to-date, and actively enforced to
maintain client trust and IRS compliance year-round.
Key Roles in Implementing a WISP
-
Data Security Coordinator (DSC)
The DSC oversees the development, implementation, and maintenance of the WISP. This includes conducting regular risk assessments, ensuring compliance with data security standards, and coordinating employee training to address potential vulnerabilities. -
Public Information Officer (PIO)
The PIO handles communication about the organization's data security policies, both internally and externally. This role ensures transparency with clients regarding how their sensitive information is protected and addresses any inquiries or incidents involving data breaches. - Personally Identifiable Information
(PII)
The WISP must identify and secure all PII handled by the organization, including sensitive client data managed by PTIN holders, Tax Preparers, and EROs. PII includes Social Security Numbers, financial details, addresses, and other private information critical to tax preparation.
Protect Your Business and Clients with a Comprehensive WISP
Developing and implementing a WISP is not just a regulatory requirement—it’s a vital step in protecting your business and clients. Appointing a DSC and PIO, training employees, and securing client PII are essential components of staying compliant and maintaining trust. Regularly updating your WISP ensures your business remains resilient against evolving cybersecurity threats.
Start today by creating your IRS-mandated WISP. Stay compliant, protect sensitive data, and build a secure future for your business.
- Protect Your Clients; Protect Yourself
- IRS Guides on identity theft (All links are on below and the Appendix on 2025 WISP)
- Report a Breach - State Data Breach Contacts (All state links are on the Appendix on 2025 WISP)
- State Attorneys General - Most states require that the state attorney general be notified of data breaches.
- IRS "6" Mandated Standards - IRS Publication 1345
- Data Security Coordinator Compliance Person - Responsiblities
- Data Security Coordinator Compliance Person - Agreement and Attachment #3
- Public Information Officer - Responsibilites
- Public Information Officer - Agreement
- Document Safety Measures in Place with Suggested Policies to Include in your WISP - Template #8
- Firm Employees Authorized to Access PII - Template #9
- Employee Acknowledgement of Understanding - Agreement - Attachment #5
- Contractor Acknowledgement of Understanding - Agreement- Attachment #5
- Government Agencies - Ongoing
- Remote Working Employees - Template and Agreement
- Remote Working Contractors - Template and Agreement
- PII Disclosure Policy
- Reportable Events Policy
- WISP and HIPPA - Satisfying PII Protection Requirements through a Written Information Security Plan (WISP) in Compliance with HIPAA, IRS, and FTC Regulations
- WISP Duties of ERO Electronically File - Template to capture the key duties of an EFIN and PTIN holder serving as an ERO
-
IRS Publication 1345 - Templates of:
- Key E-File Requirements Outlined
- What are the EFIN, PTIN and ERO Duties After Submitting the Return to the IRS
- IRS Publication 5461 - Protect personal and financial information online
- IRS Publication 5461d - Tax professionals should review their security protocols
- IRS Publication 4557 - Template of: Safeguarding Taxpayer Data
- WISP Reportable Event Policy
-
IRS Publication 5708 - Templates of:
- What Does the FTC Require for WISP Compliance
-
IRS Publication 5709 - Templates of:
- IRS Mandated "6" Standards;
- WISP security procedures Authorized IRS e-file Providers;
- Intermediate Service Provider receives tax information from an Electronic Return Originator (ERO);
- IRS e-file Rules and Requirements
-
IRS Publication 5293 - Templates of:
- track and document ERO duties...;
- Learn the Signs of Data Theft;
- Proactive Security Practices...;
- Professional Responsibility and Data Security: Practitioners’ Obligation to Have a Written Information Security Plan (https://www.writtendatasecurityplan.com/documents/2023-10-careful-wisp(ef)-professional-responsibility-and-data-security.pdf) IRS Publication 5293 - Content and Templates
- WISP - EFIN, PTIN and ERO - Content and Templates
Contact Us for Written Data Security Plan payment processing
