Creating a Written Information Security Plan for your Tax & Accounting Practice

Do you know that cybercrime is one of the greatest threats to businesses today? As a tax and accounting practice owner, your clients trust you with sensitive information about their finances. But what measures have you put in place to protect their data? With the increasing number of cyber-attacks in recent years, it has become critical for every business owner to create a written Information Security Plan (ISP). 

In this blog post, we’ll guide you through the process of creating an ISP tailored specifically for your tax and accounting practice. Protecting your clients’ information doesn’t just make good business sense; it’s also your legal obligation. So let’s get started!

What is a Written Information Security Plan?

A Written Information Security Plan (WISP) is a document that outlines the security measures taken by a tax or accounting practice to protect confidential client information. The WISP should address all areas of potential vulnerability, including physical security, data security, employee training, and incident response procedures. By creating and implementing a comprehensive WISP, practices can safeguard client data and minimize the risk of a data breach.

Why do I need a Written Information Security Plan?

As a tax and accounting professional, you have access to sensitive client information that must be protected. A written information security plan example (WISP) is a document that outlines the security measures you have in place to safeguard this information.

Creating a WISP is not mandated by any federal or state laws, but it is generally accepted as best practice within the industry. Additionally, many clients will expect you to have a WISP in place before they entrust you with their confidential information.

A well-written WISP should address all aspects of security, from physical security measures (such as locks and alarms) to digital security measures (such as firewalls and data encryption). It should also detail your policies and procedures for handling sensitive information, such as who has access to it and how it is disposed of when no longer needed.

Having a WISP in place shows your commitment to protecting your clients’ information and instills confidence that their data will be safe in your hands. It can also help you avoid costly penalties if there is ever a breach of security, as you can demonstrate that you took reasonable steps to prevent unauthorized access to the information.

How do I create a Written Information Security Plan?

Your tax and accounting practice is required to have a Written Information Security Plan (WISP) under New York State’s cybersecurity regulations. The first step is to designate someone at your firm who will be responsible for creating and maintaining the WISP. Once you have a designated individual, you can begin creating your WISP by following these steps:

  • Understand the requirements: review NYS’s Minimum Standards for Cybersecurity to get an understanding of what needs to be included in your WISP;
  • Inventory your systems and data: make a list of all systems and data that are covered by the regulation;
  • Assess risks: identify and assess the risks to each system and data identified in Step 2;
  • Implement safeguards: based on the risks identified in Step 3, put in place appropriate safeguards to protect your systems and data;
  • Train employees: provide employees with training on how to maintain the security of your systems and data; and
  • Periodically review/update your plan: as your business changes or new threats arise, make sure to update your WISP accordingly.

What should be included in my Written Information Security Plan?

In order to create an effective written information security plan template (WISP), you should include the following elements:

  1.  A description of your information security program. This should include your organization’s approach to managing information security, as well as its overall goals and objectives.
  2. A risk assessment of your practice. This should identify and assess the risks to your practice’s confidential data, both internally and externally.
  3. Policies and procedures for protecting confidential data. This should include procedures for handling, storing, and disposing of confidential data, as well as for dealing with breaches or attempted unauthorized access.
  4. Employee training on information security policies and procedures. All employees who have access to confidential data should be trained on how to protect it and what to do in case of a breach or attempted unauthorized access.
  5. Regular monitoring of your practice’s information security program. This should ensure that your program is effective and that any changes or updates are promptly made.

What to Include in an Information Security Plan

When creating a written information security plan for your tax and accounting practice, be sure to include the following:

  • A description of your business and its operations – Include an overview of your business, what services you offer, how you collect and store client data, etc.
  • Your information security policies and procedures – Outline the measures you take to protect client data, including physical security, access control, backups and disaster recovery plans.
  • Employee training and awareness – Describe how you train employees on information security best practices and ensure they are aware of the latest threats.
  • Client communication – Explain how you communicate with clients about your information security policies and procedures.
  • Monitoring and audits – Detail how you monitor your information security system for vulnerabilities and regularly audit your practices to ensure compliance with industry standards.

How to Implement an Information Security Plan

When it comes to creating a written information security plan example, there are a few key things you need to keep in mind. First and foremost, your plan should be tailored specifically to your tax and accounting practice. There is no one-size-fits-all solution when it comes to information security, so make sure your plan covers all the bases for your particular business.

Here are a few tips on how to create an effective information security plan for your tax and accounting practice:

Identify Your Assets

The first step in any information security plan is to identify what assets you need to protect. This includes things like client data, financial records, and employee information. Once you know what needs to be protected, you can start putting together the rest of your plan.

Develop Policies and Procedures

Once you know what needs to be protected, you can develop policies and procedures for keeping that information safe. This might include things like password protection, data encryption, and access control measures. Make sure these policies are well-documented and easy for employees to follow.

Train Your Employees

Your employees are the front line when it comes to protecting your business’s assets. They need to be properly trained on how to follow your policies and procedures. This training should be ongoing so that everyone is always up-to-date on the latest security measures.

Maintaining Your Information Security Plan

The most important part of any security plan is putting it into practice and maintaining it over time. Here are some tips for maintaining your information security plan:

1. Review and update your plan regularly. As your business changes and grows, your security needs will change too. Make sure to review and update your plan at least once a year, or more often if needed.

2. Train new employees on your security procedures. When you bring new employees onboard, make sure they understand your information security procedures and have the necessary training to follow them.

3. Stay up to date on security threats. Be sure to keep up with the latest news on cybersecurity threats so you can identify and protect against them.

4. Test your security measures regularly. Regularly test your security measures to ensure they are working as intended and that employees are following them correctly.

5. Keep everyone in the loop. Make sure all employees are aware of your information security procedures and that they know who to contact if they have any questions or concerns.


Creating a written information security plan for your tax and accounting practice is an important part of protecting sensitive client data. By following the steps outlined in this article, you can ensure that your business is well-equipped to deal with any potential security threats or breaches. With the right procedures in place and regular monitoring activities, you’ll be able to provide clients with peace of mind knowing that their personal data is safe and secure.

Christopher Stern

Christopher Stern is a Washington-based reporter. Chris spent many years covering tech policy as a business reporter for renowned publications. He has extensive experience covering Congress, the Federal Communications Commission, and the Federal Trade Commissions. He is a graduate of Middlebury College. Email:[email protected]

Related Articles

Back to top button