WISP in Practice
Protect Your Clients
& Your License
WISP Requirement
This Is Not Optional

The FTC Safeguards Rule under the Gramm-Leach-Bliley Act requires every tax preparation business — including solo preparers working from home — to maintain a Written Information Security Plan (WISP).

The IRS has confirmed this through IRS Publication 5708 and its annual Security Summit guidance.

Failure to maintain a WISP can result in EFIN suspension, Circular 230 disciplinary action, FTC civil penalties, and civil liability to affected clients.

This course fulfills the requirement and gives you a finished, compliant plan before you leave.

24 hrs

IRS notification deadline after discovering a suspected or confirmed data breach

$0

Size exemption — solo preparers face the same legal obligation as 50-person firms

1×/yr

Minimum annual review required — plus off-cycle updates after any material change

7 yrs

Recommended retention period for all breach incident documentation and records

5

Core elements required in every compliant WISP under the FTC Safeguards Rule

2023

Year the FTC Safeguards Rule was strengthened MFA now explicitly required for all client data systems

What you will master

Legal Framework
Explain the legal chain from the Gramm-Leach-Bliley Act through the FTC Safeguards Rule to IRS Publication 5708 and why it applies to every preparer regardless of size or credential.
Complete a WISP
Complete all eight sections of the IRS WISP template using practice-specific information rather than generic placeholder language.
Risk Assessment
Conduct a written risk assessment covering electronic, physical, and transmitted taxpayer information and connect each risk to a safeguard.
Security Coordinator
Designate and document an Information Security Coordinator and satisfy the 2023 reporting requirement to firm leadership.
Breach Response
Execute a breach response in the correct sequence: containment, IRS notification, client notification, remediation, and documentation.
Ongoing Compliance
Implement annual reviews, MFA requirements, password policies, vendor oversight procedures, and remote-work security controls.

Course modules
Four modules · 18 lessons · mapped to IRS Publication 5708 and the FTC Safeguards Rule

1

What Is a WISP & Who Needs One

Definition · legal basis · who is covered · real-world breach consequences

  • 1.1 — Introduction & course overview: regulatory basis, four-module structure, how this course applies to your practice
  • 1.2 — What is a WISP: the six questions every WISP must answer, three categories of protected data, what a WISP is NOT
  • 1.3 — Who must have a WISP: the GLBA → FTC Safeguards Rule → Circular 230 chain, no size exemption, consequences of non-compliance
  • 1.4 — Real-world breach examples: phishing, ransomware, insider threat, physical theft — and what happens to preparers without a WISP
2

Building Your WISP

Five core elements · risk assessment · coordinator · employee training · IRS template walkthrough

  • 2.1 — The five core elements: coordinator, data inventory, written safeguards, vendor oversight, incident response plan — with solo-practice examples for each
  • 2.2 — Conducting a risk assessment: four-step process, data inventory table, threat categories (external/internal/accidental), likelihood-impact rating framework
  • 2.3 — Designating your Information Security Coordinator: required criteria, coordinator responsibilities, 2023 reporting requirement, sample WISP language
  • 2.4 — Employee training requirements: who must be trained, minimum content, delivery methods, training log format — including seasonal preparers
  • 2.5 — WISP template walkthrough: section-by-section guide to completing the IRS Security Summit template — common errors and how to avoid them
3

When Things Go Wrong

Breach response · IRS notification · client notification · documentation

  • 3.1 — Recognizing a breach: what counts as a breach, how phishing attacks unfold, the moment the 24-hour clock starts
  • 3.2 — Incident response plan step-by-step: four phases — contain, notify, assess/remediate, document — with a complete 48-hour timeline example
  • 3.3 — Reporting to the IRS: Stakeholder Liaison notification within 24 hours, what to say, FBI IC3 report, software vendor fraud line, state agency notification
  • 3.4 — Notifying clients: what to say and how to say it, IP PIN guidance, Form 14039, written notification template, 7-year documentation retention
4

Staying Compliant Year-Round

Annual review · passwords & MFA · vendor management · remote work · final exam

  • 4.1 — Annual WISP review checklist: eight-section review, off-cycle update triggers, documenting the review, most commonly outdated sections
  • 4.2 — Password policies & MFA: NIST 800-63B current guidance, 2023 MFA requirement for all client data systems, password manager implementation
  • 4.3 — Vendor & third-party management: covered vendors, SOC 2 evaluation, required contract provisions, vendor offboarding, sample vendor register
  • 4.4 — Remote work & device security: approved devices, VPN requirement, home network rules, mobile phone policies, annual home office audit

Who this course is for

Enrolled Agents
Satisfies IRS Federal Tax Law CE requirement — 2 hours toward annual CE obligation — and directly addresses Circular 230 §10.51 obligations.
AFSP Participants
Fulfills the data security component of the Annual Filing Season Program — fully IRS-approved CE in Federal Tax Law Topics.
Solo & Home-Based Preparers
No size exemption exists — a one-person practice has the same WISP obligation as a 50-person firm. This course is built for you.
Small Firm Owners
Covers employee training requirements, vendor management, and the coordinator designation — everything a multi-staff office needs.
CPAs & Attorneys
For professionals who prepare federal returns and must satisfy FTC Safeguards Rule and IRS security guidance applicable to tax preparation businesses.
Remote & Seasonal Preparers
Includes remote work device security and explicit coverage of seasonal preparer training requirements.