💡 The FTC Safeguards Rule specifies exactly what a WISP must contain. Missing any of these elements means your plan is incomplete — and potentially non-compliant.

1. Designated Qualified Individual

Your WISP must identify one person — by name and title — who is responsible for your information security program. This person is called the Qualified Individual (QI). In most small firms it's the owner. The QI is responsible for implementing the plan, overseeing security practices, and reporting to management annually.

2. Risk Assessment

You must document a formal risk assessment that identifies the reasonably foreseeable risks to customer data in your specific business. This isn't generic — it should reflect your actual systems, your staff, and your client base. The risk assessment must be reviewed and updated at least annually.

3. Access Controls

Your WISP must describe how you control who can access customer information. This includes requiring unique logins for each employee, implementing the principle of least privilege (people only access what they need), and having a process for revoking access when employees leave.

4. Multi-Factor Authentication

The 2023 update to the FTC Safeguards Rule specifically requires MFA for all systems containing customer information. Your WISP must document which systems have MFA enabled and how it's implemented. This is one of the most commonly missing elements in self-written WISPs.

5. Encryption

Customer data must be encrypted both at rest (on your devices and storage) and in transit (when sent over networks). Your WISP must document what encryption you use and on which systems. For most tax preparers this means BitLocker or FileVault on laptops and TLS encryption for email and file transfers.

6. Employee Training Program

Your WISP must describe your employee security training program — what it covers, how often it's conducted, and how completion is documented. Training must happen at onboarding and at least annually after that.

7. Vendor Management

Any service provider with access to your customer data must be covered by a written contract requiring them to maintain appropriate safeguards. Your WISP must list your key vendors and document how you oversee their security practices. This includes your tax software provider, cloud storage, IT support, and any contractors who access client files.

8. Incident Response Plan

Your WISP must include a documented plan for responding to security incidents. At minimum this covers: how you detect and contain a breach, how you assess the damage, who gets notified (including the IRS Stakeholder Liaison for taxpayer data breaches), and how you document and learn from the incident.

9. Annual Review Process

The Safeguards Rule requires you to review and update your WISP at least annually, or whenever there is a material change to your business. Your WISP must document this review process and include a scheduled review date. The review should be signed and dated as evidence it occurred.

⚠️ A WISP that's missing any of these 9 elements is incomplete. Generic templates frequently omit MFA documentation, vendor management, and incident response — three of the most commonly cited deficiencies in FTC investigations.

Why a Custom WISP Matters

Each of these 9 elements needs to reflect your actual business — your specific systems, your real vendors, your actual employees. A generic template that says "we use encryption" without specifying what encryption on what systems is not a compliant WISP. It's a placeholder that provides no real protection.

Get Started

Need Help Organizing Your WISP Documentation?

  • Guided questionnaire included
  • Customized WISP document
  • Word & PDF versions
  • Loom video walkthrough
  • Delivered in 48 hours
Start Here →

SafeguardsReady is not a law firm and does not provide legal advice. Documents are prepared based on publicly available FTC and IRS guidance. Consult a licensed attorney for advice specific to your compliance obligations.