5 Steps for Creating a Written Information Security Plan (WISP) in Your Accounting Firm

Published June 7, 2024
Cyber Security Strategy WISP Security Plan

Creating a Written Information Security Plan (WISP) is not just a regulatory requirement for accounting firms to renew their Preparer Tax Identification Number (PTIN); it’s a crucial step in safeguarding sensitive client data against increasing cyber threats. A WISP serves as both a blueprint for your cybersecurity strategy and a commitment to maintaining the highest security standards. Below, we outline five essential steps to craft an effective WISP that not only meets legal standards but also reinforces your firm’s defense against cyberattacks.

1. Engage IT Expertise

Collaborating with IT Professionals: Developing a robust WISP requires detailed technical knowledge that goes beyond the typical expertise of accountants. It’s advisable to involve an IT specialist who can oversee the cybersecurity program. This could be an internal team member or an external consultant from a trusted provider. These professionals will guide you through the technical requirements and help ensure your cybersecurity measures are up to par with regulatory standards.

Why IT Involvement is Crucial: Just as you wouldn’t expect an IT technician to handle complex tax filings, creating a WISP without IT expertise is impractical. These professionals will help decipher the technical jargon and implement the necessary security protocols, making the process smoother and more compliant with the FTC Safeguards Rule.

2. Catalog Your Security Tools and Protocols

Assessing Your Security Infrastructure: Begin by taking inventory of all your cybersecurity measures, including anti-phishing tools, antivirus software, and multifactor authentication systems. It’s vital to have a comprehensive understanding of how your firm protects its data. This step can be enlightening as it might reveal gaps in your current security measures or confirm the robustness of your defenses.

Importance of Comprehensive Protection: Multifactor authentication is a critical component of the IRS’s “Security Six” recommendations. By thoroughly evaluating your security tools, you ensure not only compliance but also strengthen your firm’s overall cybersecurity posture, preparing you to handle potential cyber threats more effectively.

3. Understand and Comply with Data Disclosure Laws

Navigating Complex Legal Landscapes: Each state has distinct laws regarding data breach notifications, and it’s imperative to understand these regulations in every state where your clients reside. This knowledge is crucial for legal compliance and maintaining client trust in a data breach.

Leveraging Legal and IT Expertise: This step often requires collaboration between legal experts and IT professionals to address all aspects of state and federal laws. Understanding these intricacies can be challenging, but it’s essential to develop a WISP that protects client data and adheres to legal standards.

4. Document All Data Storage Locations

Inventory of Data Storage Points: Create a detailed list of where all client data is stored—this includes digital formats like cloud servers and physical formats such as paper files and external drives. This comprehensive inventory will serve as the foundation for implementing effective security measures across all platforms.

Securing Diverse Storage Formats: Ensuring digital and physical data security is paramount. For instance, physical files should be secured in locked cabinets with restricted access, while digital data should be protected with encryption and secure cloud storage solutions. This step ensures that wherever your client data resides, it remains secure from unauthorized access.

5. Utilize a WISP Template

Streamlining the Creation Process: While not mandatory, using a template for your WISP can significantly streamline the writing process. Templates provide a structured format that covers essential security aspects, making it easier to ensure no critical element is overlooked.

Why Reinvent the Wheel? Starting with a template reduces the workload and potential errors that can come from crafting a WISP from scratch. It provides a clear guideline and checklist that you can customize to fit your firm’s specific needs, ensuring compliance and thoroughness.

Conclusion: Ensuring Comprehensive Security with a WISP

Developing a WISP is an intricate process that requires a deep dive into your firm’s cybersecurity practices and compliance with complex legal standards. By following these five steps and possibly partnering with a cloud provider for added IT support, your firm can meet IRS requirements and fortify its defenses against the ever-growing threat of cyberattacks. Remember, a well-crafted WISP is more than a compliance document—it’s a cornerstone of your firm’s cybersecurity strategy.


Frequently Asked Questions 

1. Why is a Written Information Security Plan (WISP) important for my accounting firm? 

A WISP is crucial not only because it’s a requirement for renewing your Preparer Tax Identification Number (PTIN) with the IRS, but also plays a vital role in protecting your firm from cyber threats. A well-crafted WISP outlines your firm’s approach to securing sensitive client data, ensuring that you have effective measures in place to prevent, detect, and respond to cybersecurity incidents. This proactive approach helps minimize the risk of data breaches, which can be costly and damaging to your firm’s reputation.

2. What should be included in a WISP for an accounting firm? 

A comprehensive WISP for an accounting firm should include:

  • Identification of Sensitive Data: A detailed inventory of your firm’s sensitive client data.
  • Data Protection Measures: A list of all the cybersecurity tools and protocols you use, such as firewalls, antivirus software, and multi-factor authentication.
  • Risk Assessment: An evaluation of potential cybersecurity risks and the measures in place to mitigate these risks.
  • Access Controls: Policies determining who can access sensitive data and under what circumstances.
  • Incident Response Plan: Procedures for responding to a data breach, including how to notify affected parties and regulatory bodies.
  • Regular Updates and Audits: A schedule for regularly updating and auditing the WISP to ensure its effectiveness and compliance with current laws and technologies.

3. Who should be involved in creating a WISP? 

Creating an effective WISP should involve collaboration between various experts within and outside your firm. Key participants should include:

  • IT Professionals: To provide expertise on the technical aspects of cybersecurity and help identify the best tools and practices for protecting data.
  • Legal Advisors: To ensure that your WISP complies with all relevant data protection laws and regulations at the state and federal levels.
  • Senior Management: To align the WISP with your firm’s business objectives and ensure firm-wide commitment to implementing the plan.

Human Resources: To help communicate the policies and train staff on their roles in maintaining cybersecurity. Involving a diverse group ensures that all aspects of your firm’s operations are considered, leading to a more comprehensive and effective WISP.