Mako Logics
Call

Resources / WISP Template for CPAs

WISP Template for Houston CPAs.

A Written Information Security Plan template mapped directly to IRS Publication 4557 safeguards and the FTC Safeguards Rule. Written for owner-operator CPA, tax, and bookkeeping firms in the Houston area.

CPAs & Accounting services →

Published April 21, 2026. Review annually.

This is a template. Your firm’s actual WISP must be completed, reviewed, signed, and maintained. Download, customize, and keep a signed copy on file for your insurance carrier, IRS, and state-board audits.

1. Purpose

This Written Information Security Plan (“WISP”) documents how [Firm Name] protects client and firm information, in compliance with IRS Publication 4557, the FTC Safeguards Rule (16 CFR Part 314), and any applicable state data-protection laws.

2. Scope

This plan covers all firm personnel (partners, staff, seasonal preparers, bookkeepers, interns), all firm-owned or managed systems, and all client data held in electronic or paper form. It applies whether staff are working in the office, remotely, or at a client site.

3. Information Security Coordinator

[Name] is designated as the Information Security Coordinator and is responsible for implementing, monitoring, and updating this WISP. In firms of fewer than 10 people, this is typically the managing partner.

4. Risk Assessment

The firm conducts and documents a risk assessment at least annually. The assessment covers:

  • Inventory of all systems holding client information (tax software, bookkeeping, document management, email, backup)
  • Inventory of all third parties with access (your MSP, the cloud EHR vendor, your cyber insurer's auditor)
  • Identified threats by category — phishing, ransomware, insider error, lost devices, vendor compromise
  • Existing controls mapped against each threat
  • Residual risks documented and either accepted (with justification) or assigned for remediation

5. Safeguards (IRS 4557 — Technical, Administrative, Physical)

5.1 Access controls

  • Multi-factor authentication on all tax software, bookkeeping software, document management, email, and any admin portal
  • Unique accounts for every user — no shared logins
  • Access review at least quarterly — remove staff on termination, remove seasonal staff at end of season
  • Admin privileges granted by role and reviewed annually

5.2 Data encryption

  • Full-disk encryption on every workstation, laptop, and mobile device
  • TLS on every client-portal and email connection
  • Encrypted backup media with firm-specific keys
  • Encrypted email or a secure-message portal for sending PII

5.3 Monitoring and detection

  • Endpoint detection and response (EDR) on every workstation and server
  • Email threat detection / anti-phishing tooling on the firm domain
  • DMARC enforcement, SPF, and DKIM aligned
  • Suspicious login and data-export alerts reviewed weekly

5.4 Backup and recovery

  • Daily backup of tax software, document management, and mailboxes
  • At least one immutable / off-site copy
  • Tested restore — file, mailbox, and workstation image restored on a schedule
  • Documented Recovery Time Objective (RTO) and Recovery Point Objective (RPO)

5.5 Physical safeguards

  • Locked office and file rooms
  • Visitor sign-in and escort policy
  • Workstation screen-lock timeout (5-10 minutes)
  • Secure disposal of paper records and decommissioned devices

6. Employee training

  • Onboarding security training for every new hire before system access is granted
  • Annual refresher training for all staff
  • Role-specific training for staff handling client portals or e-file systems
  • Quarterly phishing simulations with remedial training for staff who click

7. Vendor management

  • Current list of all vendors with access to firm or client data
  • Written contract or security attestation on file for each vendor
  • Annual review of each vendor's security posture
  • Business Associate Agreement (BAA) or equivalent where required

8. Incident response

  • Written incident-response plan specifying containment, evidence preservation, and communication steps
  • Notification decision tree: IRS Stakeholder Liaison, state tax authority, state attorney general per state breach-notification laws, cyber insurance carrier, affected clients
  • Annual tabletop exercise walking through a ransomware and a phishing-breach scenario
  • Post-incident review and WISP update after any material event

9. Annual review and attestation

The Information Security Coordinator reviews this WISP annually and whenever a material change in the firm’s systems, staff, or client base occurs. The coordinator attests to the review in writing and the firm retains the attestation for at least seven years.

10. Sign-off

[Firm Name] — Written Information Security Plan.
Adopted: [Date].
Information Security Coordinator: [Name, Signature].
Next scheduled review: [Date].

Schedule a 15-Minute Discovery Call