What is a WISP and who needs one?

A WISP is a Written Information Security Plan. Every paid tax preparer with a PTIN — including solo CPAs and EAs — is required to have one under the FTC Safeguards Rule and IRS Publication 4557.

Does PTIN renewal really ask about a WISP?

Yes. The PTIN renewal application asks the preparer to confirm a written security plan is in place. Misrepresenting that answer carries professional and legal risk.

What does this free check measure?

Nine practical control areas drawn from IRS Pub 4557 and the FTC Safeguards Rule, including written policy, designated coordinator, risk assessment, employee training, vendor oversight, incident response, encryption, MFA, and backup.

DOC ─ RT-WISP-2026/04

FREE / 2 MIN

01 For tax preparers + CPAs

Your PTIN renewal asks if you have a security plan.

IRS Publication 4557 and the FTC Safeguards Rule require every paid preparer to have one. Most don't. Two minutes tells you where you stand. Free. Instant grade. Written gap report by email.

★ AS OF 2023 ─ EVERY PTIN RENEWAL REQUIRES THIS ATTESTATION

STEP 01 / 03 ─ SCAN 0 / 100

YOUR PRACTICE WEBSITE OR EMAIL DOMAIN

─ NO LOGIN. NO INSTALL. NOTHING TOUCHES YOUR TAX SOFTWARE.

02 What's required

The IRS
is checking.

Since 2023 every paid tax preparer with a PTIN must attest to having a written WISP. The FTC Safeguards Rule (revised 2023) puts tax practices under the same bar as banks. Penalties for non-compliance start at $50K per violation and scale into the millions.

FTC penalty per violation

$50K

Penalty cap per category

$10M

Renewal requires attestation

PTIN

WISP control areas

03 9 control areas

Every IRS Pub 4557
control area.

WISP.01

Written security plan

Documented WISP that names a Designated Security Coordinator.

WISP.02

Risk assessment

Annual evaluation of internal + external threats to taxpayer data.

WISP.03

Safeguards in place

Encryption at rest + in transit, MFA, secure deletion.

WISP.04

Service-provider oversight

Vendor agreements with required security clauses.

WISP.05

Plan adjustment

Plan reviewed + updated when systems / staff / threats change.

WISP.06

Employee training

Annual security training for everyone touching taxpayer data.

WISP.07

Incident response plan

Written + tested response plan for data security events.

WISP.08

Physical security

Locked file storage, secure shred, badge / key controls.

WISP.09

Domain protection

SPF + DMARC so your taxpayers can't be phished as you.