By Dr. Sangeeta Chhabra
Even as tax pros emerge from yet another fall busy season, only to take a breath and prep for next year, knowing where you stand on data security is a year-round priority. It is at this time in particular that you need to give attention to your WISP.
For those still unfamiliar, a Written Information Security Plan is a mandatory, comprehensive document for accountants, CPAs, and tax professionals that outlines a firm’s strategy to safeguard sensitive client data from unauthorized access, theft, or misuse. Moreover, a well-structured WISP is essential for complying with federal and state regulations, such as IRS requirements (Publication 4557) and the Gramm-Leach-Bliley Act, maintaining client trust, and upholding professional credibility.
So, if your WISP is even more than a year old, or perhaps whatever security plan you have is scattered across spreadsheets and emails, then it’s time for a thorough review. I would even go so far as to say an updated and tested WISP is no longer just a compliance checkbox; it is a core element of effective risk management and business resilience.
5 reasons why last year’s WISP may not be enough
1. Legal compliance: For tax professionals, having a WISP is not optional; it’s a legal requirement. When renewing your PTIN (preparer tax identification number) on IRS Form W-12, Question 11 specifically asks you to confirm that you have a WISP in place. Providing a false response is considered perjury and may lead to serious consequences, including PTIN termination or even revocation of your license.
2. Increased expectations: Regulators have raised expectations. NIST CSF (Cyber Security Framework) 2.0 has introduced a new governance function and clarified outcomes across risk management, supply chain, and measurement. Even if you don’t want to align with NIST CSF, most customers, auditors, and cyber insurers are aligned with this now. Updating your WISP to be in sync with CSF 2.0 lends it an authenticity and makes it trustworthy.
3. Ransomware and resilience: The threats have evolved and changed. According to a report by Mimecast, the human element is often the primary cause of breaches, and ransomware remains a persistent threat. This underscores the need to prioritize access controls, phishing resilience, and regular response rehearsals. Tools alone should not be the focus—your plan must center on people and processes, supported by clear metrics and benchmarks to demonstrate effectiveness.
4. Mandatory breach notification: If you store or process financial data of customers, the FTC Safeguards Rules now require you to notify them of any breach within 30 days if the breach has affected more than 500 customers. This change should be reflected in your incident-response section and SOPs (standard operating procedures).
5. New tech, new risks: Your business has changed, too. If you have undergone migration to new SaaS platforms, AI adoption, M&A, new data flows, remote hires, and fresh third‑party integrations, all these changes affect your cybersecurity requirements and the nature of potential threats. If the WISP does not reflect today’s asset inventory, data classifications, and vendor list, it can’t guide today’s risk-mitigating decisions and policies.
What should be in your WISP?
Once you’ve made the move to update your WISP, here are several essential items it should contain and specifically address.
1. Governance and risk management: Start with accountability and clear oversight. Define who in your firm is responsible for it. Whether it’s leadership, IT (internal or external), legal, or HR, they need to set reporting cadences and escalation thresholds. The WISP should also classify data—public, internal, confidential, regulated—and show how risk assessments shape budgets, controls, and exception handling.
2. Information assets and access controls: Your plan must track every asset—endpoints, databases, cloud apps, and privileged accounts—and keep this inventory updated. Just as important is access: a phishing-resistant multifactor authentication, automated joiner/mover/leaver workflows all reduce risk from both insiders and attackers.
3. Secure operations and technology use: Security should be built into everyday processes—from code reviews and dependency scans to documented change approvals and rollbacks. With new tools like AI and large language models, your WISP must outline safe usage policies to protect data and avoid unintended exposure.
4. Third-party oversight and incident response: Vendors handling client data must be vetted, monitored, and contractually bound to security standards. Your WISP should also detail how incidents are handled—who decides materiality, how regulators like the FTC are notified within 30 days, and how communication is managed.
5. Resilience, awareness, and continuous improvement: Resilience means tested backups, disaster recovery plans, and measurable employee awareness training. A modern WISP tracks security metrics like multifactor authentication adoption and patch compliance while aligning with standards like ISO 27001 and NIST CSF 2.0 to stay audit-ready.
DIY vs. managed WISP
While some firms try to build and maintain a WISP on their own, this “DIY” route can be time-consuming and often overlooks evolving regulations or hidden risks. A managed WISP solution, by contrast, brings expert oversight, regular updates, and tested playbooks that keep you audit-ready and compliant with IRS and FTC expectations.
For practices without in-house security expertise, outsourcing WISP management to an experienced and knowledgeable managed service provider can save time, reduce risk, and provide confidence that client data is protected to the highest standards.
Protect your organization with a robust WISP
So, as things hopefully begin to wind down for you this year, as previously stated, right now is the best window to review or construct your WISP. An outdated WISP isn’t just a compliance issue, it’s a business risk. Updating it now ensures you’re ready for IRS and FTC requirements, resilient against evolving threats, and positioned to protect the client trust that drives your practice.
ABOUT THE AUTHOR:
Dr. Sangeeta Chhabra, co-founder and executive director of Ace Cloud Hosting, is a leader and innovative entrepreneur with more than 20 years of experience in the IT sector. She has positioned the company as a leading global provider of IT and managed cloud services, celebrated for its QuickBooks hosting tailored for the accounting sector, managed security services, Desktop as a Service, and public cloud offerings for SMBs and enterprises. Under her leadership, Ace Cloud Hosting was honored as the Best Outsourced Technology Provider at the CPA Practice Advisor Readers’ Choice Awards 2023, among other accolades. Beyond her professional successes, Dr. Chhabra is a passionate advocate for women’s empowerment and is committed to fostering an inclusive environment at Ace Cloud Hosting.
Photo credit: Dilok Klaisataporn/iStock
Thanks for reading CPA Practice Advisor!
Subscribe Already registered? Log In
Need more information? Read the FAQs
