How to build and maintain a Written Information Security Plan that meets IRS requirements: risk assessment, safeguards, training, incident response, and annual review.
Identify all locations where taxpayer data is stored, processed, or transmitted. Evaluate physical security, network security, employee access, vendor access, and disposal procedures.
Document administrative safeguards (policies, training), technical safeguards (encryption, access controls, firewalls), and physical safeguards (locked storage, clean desk, secure disposal).
Define what constitutes a security incident. Document the notification chain, containment steps, investigation process, and breach notification procedures as required by state and federal law.
Train all staff on data handling procedures, phishing recognition, password policy, and incident reporting. Require annual re-training and maintain acknowledgment logs.
Review the WISP annually or whenever there is a material change in business operations, technology, or regulatory requirements. Update the risk assessment and document all changes.
WISP includes the templates, checklists, logs, and SOPs to execute this workflow consistently across every engagement.