Written Information Security Plan (WISP) Template for Accountants/CPAs


This Written Information Security Plan (WISP) template is designed for accountants and Certified Public Accountants (CPAs) to ensure the protection of sensitive client data and compliance with IRS regulations and guidelines. It provides a framework for identifying risks, implementing security measures, and maintaining and reviewing security protocols.


The purpose of this WISP is to establish and maintain a comprehensive information security program that ensures the confidentiality, integrity, and availability of sensitive client data. It outlines the administrative, technical, and physical safeguards implemented to protect against unauthorized access, use, alteration, destruction, or disclosure of client data.


This WISP applies to all employees, contractors, and third parties who have access to sensitive client data within [Firm’s Name]. It covers all forms of data, including electronic and paper records.

Identification of Risks

Conduct regular risk assessments to identify potential threats to client data.

Evaluate the likelihood and potential impact of these risks.

Security Measures

Administrative Safeguards

Policies and Procedures

Develop and implement policies governing data security and confidentiality.

Establish protocols for data handling, storage, transmission, and disposal.

Employee Training

Conduct regular training sessions on data security, phishing awareness, and safe data handling practices.

Document all training activities and maintain records.

Access Controls

Restrict access to sensitive data to authorized personnel only.

Implement strong authentication measures.

Technical Safeguards

Secure Networks

Use firewalls, encryption, and intrusion detection systems to protect electronic data.

Regularly update and patch all software and systems.

Data Backup and Recovery

Implement regular data backup procedures.

Develop a disaster recovery plan to ensure the availability of data in the event of an incident.

Mobile Device Management

Establish security protocols for the use of mobile devices and remote access.

Physical Safeguards

Secure Premises

Ensure that physical access to facilities where sensitive data is stored is secure.

Implement measures like locks, alarm systems, and surveillance cameras.

Secure Disposal

Dispose of paper records containing sensitive data securely, such as through shredding.

Follow secure data deletion protocols for electronic data.

Incident Response Plan

Develop a plan to respond to data breaches or security incidents.

Include procedures for containment, investigation, notification, and recovery.

Monitoring and Review

Regularly review and update the WISP to ensure its effectiveness.

Monitor compliance with the WISP and take corrective actions as necessary.


All employees, contractors, and relevant third parties must acknowledge that they have read, understood, and agreed to comply with this WISP.

This template serves as a starting point for accountants and CPAs to develop their own WISP. It is crucial to customize this template to the specific needs and circumstances of the practice, ensuring all IRS guidelines and industry best practices are adequately addressed. Regular updates, audits, and employee training are key to maintaining the effectiveness of the WISP.