What must a WISP include?

A compliant WISP must include: designation of a security coordinator; a risk assessment identifying where taxpayer data is stored, accessed, and transmitted; written safeguards covering access controls, encryption, multi-factor authentication, endpoint security, and physical security; employee security training documentation; vendor and third-party oversight procedures; an incident-response plan; a breach-notification procedure; and a process for ongoing review and update of the plan at least annually.

What is Form W-12 Line 11?

Form W-12 Line 11 is the data-security attestation on the IRS PTIN application and renewal form. Since 2024, every PTIN holder must check this box certifying under penalty of perjury that they maintain a Written Information Security Plan compliant with IRS Publication 4557 and the FTC Safeguards Rule. Approximately 810,000 preparers sign this attestation each year during PTIN renewal.

What happens if a tax preparer doesn't have a WISP?

Consequences can include PTIN suspension or revocation, EFIN revocation, FTC enforcement penalties that can reach tens of thousands of dollars per violation per day under the amended Safeguards Rule, denied cyber insurance claims following a breach, civil liability from affected taxpayers, and exposure for false certification on Form W-12. A preparer who checks the Line 11 box without an implemented WISP may also face perjury exposure on a federal form.

Is a free WISP template enough to comply?

A template, including the official IRS Publication 5708 sample, only provides the structural framework. To actually comply, the WISP must reflect the firm's real, implemented security practices — and those practices must be maintained, documented, and updated. The IRS expects the WISP to describe safeguards that are actively in place. A downloaded PDF that was never implemented is not a compliant WISP.

Complete 2026 Guide for Tax Professionals

WHAT IS A WISP FOR TAX PREPARERS?

BY DENNIS PATINO · FOUNDER, MOSTRO CYBERSECURITY · UPDATED MAY 28, 2026 · 8-MIN READ

THE SHORT ANSWER

A WISP (Written Information Security Plan) is the data-security plan every IRS PTIN holder is required to maintain. IRS Publication 4557 defines the requirement; Publication 5708 provides the template. Since 2024, Form W-12 Line 11 requires every PTIN holder to certify, under penalty of perjury, that they have one in place — whether the firm files 11 returns or 10,000.

WHO IS REQUIRED TO HAVE A WISP?

Every paid tax-return preparer who holds an IRS Preparer Tax Identification Number (PTIN) is required to maintain a WISP. That includes CPAs, enrolled agents, attorneys preparing returns for compensation, and unenrolled preparers. There is no minimum-client threshold — a preparer filing eleven returns has the identical obligation as a firm filing ten thousand. The legal basis is the Gramm-Leach-Bliley Act, which classifies tax preparers as financial institutions and brings them under the FTC Safeguards Rule.

THE REGULATORY BACKBONE

Five federal authorities define what a WISP must address and what happens when one is missing or insufficient:

IRS Publication 4557 — Safeguarding Taxpayer Data. The primary IRS guidance document defining what tax preparers must do to protect taxpayer information.
IRS Publication 5708 — Creating a WISP. The step-by-step implementation framework and sample WISP template.
FTC Safeguards Rule. Federal regulation requiring written security programs, vendor oversight, employee training, and incident-response planning for non-bank financial institutions.
Gramm-Leach-Bliley Act (GLBA). Statute classifying tax preparers as financial institutions and triggering Safeguards-Rule applicability.
IRC §7216. Federal criminal statute prohibiting unauthorized disclosure or use of taxpayer information; carries potential fines and imprisonment.

WHAT A COMPLIANT WISP MUST CONTAIN

A WISP is not a one-page declaration. To satisfy IRS Publication 4557 and withstand FTC scrutiny, it must address each of the following:

Designation of a security coordinator — a named individual accountable for the plan.
Documented risk assessment — every system, device, vendor, and workflow that touches taxpayer NPI.
The IRS Security Six — anti-virus / EDR, firewall, multi-factor authentication, backup software, drive encryption, and a VPN, deployed on every device used for tax preparation.
Access controls — least-privilege access to taxpayer data, documented.
Employee security training — completed, dated, signed, and retained.
Vendor oversight — every third-party that touches taxpayer data, inventoried with security practices confirmed.
Incident-response plan — who is contacted, what is logged, how taxpayers and the IRS Stakeholder Liaison are notified.
Annual review and update — the WISP is a living document, timestamped at every review.

FORM W-12 LINE 11 — THE PERJURY ATTESTATION

The most consequential change to PTIN renewal in years was the addition of Line 11 to Form W-12. Every preparer renewing or applying for a PTIN must check a box certifying — under penalty of perjury — that they have implemented a WISP compliant with IRS Publication 4557 and the FTC Safeguards Rule.

Approximately 810,000 preparers sign this attestation every year. A meaningful share of them have nothing behind the signature. Checking the box without an implemented WISP creates direct legal exposure — both as a Title 18 perjury question and as a regulatory matter the IRS can act on if asked to produce the plan.

WHAT HAPPENS IF A PREPARER HAS NO WISP?

Consequences compound. PTIN suspension or revocation removes the ability to legally prepare returns. EFIN revocation removes the ability to e-file. FTC enforcement penalties under the amended Safeguards Rule can reach tens of thousands of dollars per violation, per day. Cyber-insurance carriers routinely deny claims after a breach when the insured cannot produce a documented WISP — even with all premiums paid. Civil liability from affected taxpayers, state-board complaints, and reputational damage typically follow.

IS A FREE WISP TEMPLATE ENOUGH?

A template — including the official Publication 5708 sample — provides only the structural framework. To actually comply, the WISP must describe safeguards that are actively in place, maintained, and documented. The IRS, the FTC, and any plaintiff's attorney are looking for evidence that the controls described in the plan exist in reality. A downloaded PDF that was never implemented does not satisfy that standard, regardless of how thorough the template was.

THE HONEST POSITION

A WISP is not paperwork. It is evidence. Build it as a real plan, implement the controls it describes, maintain it as a living document, and keep timestamped proof of every review. That is the version that holds up — under IRS audit, under an FTC inquiry, under a malpractice discovery request, and under your own Form W-12 signature.

MOSTRO 1040 builds the WISP, implements the controls, maintains the evidence file, and keeps it all current. If that's the version you want, the discovery call is thirty minutes and brutally honest.

Book Your Discovery Call →

FREQUENTLY ASKED QUESTIONS

Do solo tax preparers need a WISP, or just larger firms? +

Solo preparers are subject to the same requirement as multi-partner firms. There is no minimum-client threshold under IRS Publication 4557 or the FTC Safeguards Rule. If a preparer holds a PTIN and prepares returns for compensation, the WISP requirement applies.

How often must a WISP be reviewed and updated? +

At least annually, and after any material change — new software, new staff, new vendors, a security incident, or a change in the regulatory environment. Each review should be dated and documented; an undated WISP is functionally indistinguishable from no WISP at all during an audit.

Does the WISP need to be submitted to the IRS? +

No — the WISP is not filed with the IRS. It must be maintained by the firm and produced on request, including in response to IRS inquiries, FTC investigations, cyber-insurance audits, or litigation discovery. Form W-12 Line 11 attests that one exists; producing it is the firm's burden if asked.

What about staff who use personal AI tools like ChatGPT with client data? +

That practice can constitute an unauthorized disclosure of taxpayer information under IRC §7216, with criminal penalties potentially attaching to the firm and the individual preparer. The WISP must address AI use specifically — either by prohibiting it on personal accounts or by providing a governed alternative, such as a protected AI environment that logs interactions and prevents NPI from leaving the firm.

Will the IRS actually ask to see a WISP? +

The IRS Stakeholder Liaison can request a WISP as part of a data-loss inquiry, an e-Services account compromise, or in response to a complaint. The FTC may request one during a Safeguards Rule investigation. Cyber-insurance carriers request them after every breach. State licensing boards may request them in connection with disciplinary inquiries. Once any of those parties asks, the time to have built one has already passed.