IRS Publication 5708 – Creating a Written Information Security Plan for your Tax & Accounting Practice

IRS Publication 5708 – Tax professionals handle highly sensitive client data every day — Social Security numbers, financial records, income details, and more. A single data breach can lead to identity theft, tax refund fraud, costly lawsuits, and loss of client trust. That’s why the IRS and the Security Summit partners strongly emphasize the need for a Written Information Security Plan (WISP).

IRS Publication 5708 (Revised August 2024) is the official, free 28-page resource designed specifically to help tax and accounting practices — especially smaller firms — create, implement, and maintain a compliant WISP. This article breaks down everything you need to know, with direct guidance from the publication, legal requirements, step-by-step instructions, and practical tips.

What Is IRS Publication 5708?

Published by the Internal Revenue Service (Catalog Number 93462W), Publication 5708 – Creating a Written Information Security Plan for your Tax & Accounting Practice (Rev. 8-2024) serves as both a compliance guide and a ready-to-customize template.

It walks you through:

• Legal obligations under the Gramm-Leach-Bliley Act (GLBA) and the FTC Safeguards Rule
• Risk assessment and safeguard design
• A full sample WISP template
• Six helpful attachments (record retention policies, employee rules of behavior, breach procedures, acknowledgments, hardware inventory, and authorized access list)
• Glossary of terms and links to additional IRS and NIST resources

The publication stresses that your WISP must be written, accessible to employees, scaled to your firm’s size and complexity, and treated as an “evergreen” document — reviewed, tested, and updated at least annually or whenever your business changes.

Why Every Tax & Accounting Practice Needs a WISP?

Under the FTC Safeguards Rule (implementing the GLBA), tax preparers and accounting firms are classified as “financial institutions,” regardless of size. You must implement and maintain a written information security program to protect customer data.

Failure to comply can result in FTC enforcement actions, while having a strong WISP helps you:

• Prevent data breaches and identity theft
• Respond effectively to incidents
• Demonstrate due diligence to clients, insurers, and regulators
• Meet IRS expectations for safeguarding taxpayer data (cross-referenced with Publication 4557 and Publication 1345)

The IRS and Security Summit partners repeatedly remind practitioners: “Protect your clients; protect yourself.”

Key FTC Safeguards Rule Requirements Highlighted in Publication 5708

The 2024 revision explicitly calls out these mandatory elements:

1. Designate a qualified individual to coordinate the information security program.
2. Identify and assess risks to customer information in every area of operations and evaluate existing safeguards.
3. Design and implement safeguards; regularly monitor and test them.
4. Select service providers that can maintain appropriate safeguards and include contractual requirements.
5. Evaluate and adjust the program based on business changes or test results.
6. Implement multi-factor authentication (MFA) for anyone accessing any information system (unless the qualified individual approves equivalent or stronger controls in writing).
7. Report any “security event” affecting 500 or more individuals to the FTC within 30 days of discovery.

Step-by-Step: How to Create Your WISP Using IRS Publication 5708?

Publication 5708 provides a clear roadmap:

Step 1: Get Familiar with Requirements
Review Publication 5708, Publication 4557 (Safeguarding Taxpayer Data), Publication 1345, and the FTC Data Breach Response Guide.

Step 2: Define Objectives, Purpose & Scope
State that your plan creates administrative, technical, and physical safeguards to protect Personally Identifiable Information (PII) and comply with GLBA/FTC rules.

Step 3: Designate Responsible Officials
Appoint a Data Security Coordinator (DSC) responsible for implementation, training, monitoring, and annual reviews. Optionally appoint a Public Information Officer (PIO) for breach communications.

Step 4: Assess Risks
Catalog the types of PII you handle and identify where it could be lost (theft, fire, cyberattacks, employee error, etc.).

Step 5: Inventory Hardware & Systems
Create a complete list of devices, locations, and the PII stored on each (use Sample Attachment E).

Step 6: Document Safety Measures
Cover:

• PII collection, retention & destruction policies
• Personnel accountability and training
• Network protection, user access controls, MFA, encryption
• Secure electronic exchange, Wi-Fi, remote access
• Connected devices and incident reporting
• Employee Code of Conduct

Step 7: Add Implementation Clause & Attachments
Include effective date, signatures, and all sample attachments.

Step 8: Train Staff & Obtain Acknowledgments
Distribute the WISP, conduct training, and have every employee/contractor sign Sample Attachment D annually.

Step 9: Review, Test & Update Annually

Three Core Focus Areas for Any Effective WISP

Publication 5709 (companion guide) and Publication 5708 emphasize:

• Employee management and training
• Information systems (technical safeguards)
• Detecting and managing system failures (incident response)

Best Practices from IRS Guidance

• Keep the WISP in PDF or Word format and store a copy offsite/cloud for disaster recovery.
• Use strong, unique passwords changed per NIST guidelines and enforce MFA everywhere possible.
• Never store PII on personal devices.
• Shred paper documents and securely wipe electronic media.
• Maintain separate guest Wi-Fi networks.
• Conduct monthly security awareness meetings.
• Review service provider contracts for safeguard clauses.
• Test backups regularly and document everything for audit readiness.

Download IRS Publication 5708 & Related Resources

• Publication 5708 (Rev. 8-2024) – Full template & guide: https://www.irs.gov/pub/irs-pdf/p5708.pdf
• Publication 5709 – How to Create a Written Information Security Plan: https://www.irs.gov/pub/irs-pdf/p5709.pdf
• Publication 4557 – Safeguarding Taxpayer Data
• Publication 5293 – Data Security Resource Guide for Tax Professionals
• FTC Safeguards Rule resources and Data Breach Response Guide

Frequently Asked Questions (FAQs)

Is a WISP required even for solo practitioners?
Yes — the FTC Safeguards Rule applies regardless of firm size.

How often must I update my WISP?
At least annually, or whenever your business operations, technology, or risks change.

Do I need to hire a lawyer or IT consultant?
Publication 5708 is designed for small practices to customize themselves, but consulting experts is recommended for complex setups or after a breach.

What if I experience a breach?
Follow your WISP’s incident response procedures, notify affected clients and the IRS Stakeholder Liaison, and report to the FTC if 500+ individuals are affected.

Final Thoughts

Creating a Written Information Security Plan is not just a compliance checkbox — it’s one of the smartest investments you can make to protect your clients, your practice, and your reputation in an era of rising cyber threats.

Start today with the free IRS Publication 5708 template. Customize it to your firm, train your team, and review it regularly. Your future self — and your clients — will thank you.

Need help getting started? Download Publication 5708 right now and begin building your WISP. Questions about implementation? Consult your IT professional or tax software provider’s security resources.

This article is for informational purposes only and is not a substitute for professional legal or IT advice. Always refer to the official IRS publications for the most current guidance.