A Written Information Security Plan (WISP) is a formal, documented cybersecurity program that explains how an accounting firm protects client data, manages security risks, and responds to potential incidents. For many CPA firms, a WISP is no longer optional—it is effectively required to meet expectations tied to the FTC Safeguards Rule, IRS Publication 4557, the Gramm-Leach-Bliley Act (GLBA), and modern cyber-insurance policies.
For accounting firms in New Jersey handling tax returns, financial statements, payroll data, and other sensitive information, a WISP provides the structured framework for protecting client data and demonstrating responsible security practices.
- A WISP is a documented security program that explains how your firm protects sensitive client data.
- Many accounting firms need a WISP to support FTC Safeguards Rule, IRS Publication 4557, GLBA, and cyber-insurance expectations.
- A strong WISP should reflect real security practices, not just a generic template.
- WISP documentation supports client trust, audit readiness, and long-term operational resilience.
Why Accounting Firms Are Expected to Maintain a WISP
Accounting firms manage highly sensitive information such as:
- Social Security numbers
- Tax returns and supporting documents
- Payroll and banking information
- Confidential business financial records
Because of this, firms are often subject to security expectations associated with:
- FTC Safeguards Rule requirements
- IRS Publication 4557 guidance for tax professionals
- Gramm-Leach-Bliley Act (GLBA) data protection expectations
- Cyber insurance underwriting requirements
A WISP demonstrates that the firm has implemented reasonable, documented safeguards to protect client data—not just installed security software.
What a Proper WISP Should Include
A well-structured WISP typically contains 6–10 documented components that outline how an accounting firm protects sensitive data.
1. Risk Assessment Process
A documented process for identifying internal and external threats to client data and evaluating potential vulnerabilities.
2. Access Control Policies
Policies that define who can access systems, data, and applications, and how that access is managed.
3. Multi-Factor Authentication (MFA) Requirements
Security controls requiring MFA for email systems, cloud platforms, remote access, and administrative accounts.
4. Data Encryption Standards
Policies describing how sensitive data is protected both in transit and at rest.
5. Incident Response Procedures
Clear steps outlining how the firm detects, responds to, and recovers from a cybersecurity incident.
6. Vendor and Third-Party Oversight
Processes for evaluating software providers, cloud vendors, and external partners that may access firm data.
7. Security Awareness Training
Employee training programs designed to reduce phishing risks and human-error-based security incidents.
8. Backup and Recovery Policies
Documented procedures for backup frequency, retention policies, testing schedules, and backup and recovery planning.
A WISP should function as the operational blueprint for the firm’s security program, not just a document stored for compliance purposes.
Common WISP Mistakes Accounting Firms Make
Many firms believe they have a WISP but discover gaps when regulators, clients, or insurers request documentation.
Common mistakes include:
- Using a generic template that does not match actual systems
- Creating a document but never reviewing or updating it
- Failing to document vendor security practices
- Not testing backups or incident response procedures
- Treating the WISP as paperwork rather than an operational framework
Modern compliance expectations increasingly require WISPs to reflect real operational practices, not simply exist as a static document.
How WISPs Connect to IRS Publication 4557 and the FTC Safeguards Rule
IRS Publication 4557, which provides security guidance for tax professionals, emphasizes the need for accounting firms to implement safeguards for protecting taxpayer data.
Similarly, the FTC Safeguards Rule requires organizations that handle financial information to maintain a comprehensive information security program.
While neither regulation mandates a specific document format, many firms implement a WISP to demonstrate that they have:
- Conducted security risk assessments
- Implemented technical safeguards
- Documented policies and procedures
- Established incident response planning
In practice, a WISP often becomes the central framework tying these expectations together.
Why Cyber Insurance Providers Ask for a WISP
Cyber insurance providers increasingly require proof that firms have implemented documented security controls.
During underwriting or policy renewal, insurers may request evidence of:
- Multi-factor authentication deployment
- Backup testing procedures
- Security policies and documentation
- Incident response planning
Without documented controls, firms may face:
- Higher insurance premiums
- Coverage limitations
- Delayed or denied claims after a breach
A well-structured WISP helps demonstrate that the firm has taken reasonable steps to manage cybersecurity risk.
Real-World Perspective from Inside a Regional Accounting Firm
Total Cover IT Founder David Quick spent 17 years as the internal IT Director for a mid-sized regional accounting firm in New Jersey, supporting the firm as it grew from approximately 50 employees to more than 80.
During that time, David was responsible for:
- Designing, implementing, and maintaining the firm’s entire IT infrastructure
- Supporting specialized practice management and time and billing systems, workflow management tools, and various accounting, audit, and tax-related applications
- Minimizing downtime, especially during peak tax seasons
- Leading a full headquarters office relocation, including the migration and reassembly of core IT infrastructure, with minimal disruption
This experience reinforced an important reality: security policies must align with how accounting firms actually operate under deadline pressure, not simply exist as theoretical compliance documentation.
How Accounting Firms Should Approach WISP Development
Firm leadership should evaluate their WISP by asking:
- Does the document accurately reflect our current technology systems?
- Are security controls such as MFA and backup testing actually enforced?
- Is the WISP reviewed and updated annually?
- Could we confidently provide it during an audit or insurance review?
- Does our IT provider understand the security expectations specific to accounting firms?
A strong WISP supports client trust, regulatory readiness, and operational resilience.
View All Resources for Accounting Firms
This article is part of our Resources for Accounting Firms series addressing IT costs, security requirements, compliance expectations, and operational risk for CPA firms.
View all resources for accounting firms
FAQ
What is a WISP for an accounting firm?
A WISP is a Written Information Security Plan that documents how an accounting firm protects sensitive client information, manages cybersecurity risk, and responds to incidents.
Why do accounting firms need a WISP?
Accounting firms handle tax records, payroll information, and other sensitive data, so a WISP helps demonstrate reasonable safeguards for regulatory expectations, client requirements, and cyber-insurance reviews.
What should a WISP include?
A strong WISP should typically include risk assessments, access controls, MFA requirements, encryption standards, incident response procedures, vendor oversight, security awareness training, and backup and recovery policies.
Is a WISP just a compliance document?
No. A WISP should reflect the firm’s real operational security practices and serve as a working framework for protecting client data, not just paperwork created for audits or insurance applications.
Need an IT partner that understands the real operational pressures accounting firms face?