Service record · Tax firms · WISP-01

Proof, not paperwork.

The IRS gives away a WISP template. I build the controls and evidence that make the written plan true.

Book a 20-minute scoping call From $4,500 · 2–3 weeks

01 · The commodity trap

The template is free.

IRS Publication 5708 is a free sample Written Information Security Plan built for tax and accounting practices. Download it. Read it. A blank plan should not cost thousands of dollars.

The problem starts when a completed template says your firm uses multifactor authentication, encrypts customer information, removes access promptly, reviews vendors, and disposes of old records. Typing those statements does not establish the controls.

I inventory the real environment first: tax software, email, file sharing, endpoints, backups, remote access, phones, vendors, and the people who touch customer information. The plan comes after the evidence. That order is the product.

Read IRS Publication 5708

02 · The obligation

Nine parts, stated plainly.

The FTC Safeguards Rule sets the shape of the information security program. Applicability and the small-firm exemptions still need to be evaluated against your facts.

Read 16 CFR 314.4

314.4-01

Qualified Individual

Designate the person responsible for the information security program.

314.4-02

Risk assessment

Assess foreseeable internal and external risks against the systems actually in use.

314.4-03

Safeguards

Design and implement controls, including access, inventory, encryption, MFA, disposal, and logging.

314.4-04

Monitoring and testing

Evaluate whether safeguards work and respond to the findings.

314.4-05

Training

Provide security awareness and role-appropriate training, then document it.

314.4-06

Service providers

Select capable providers, set expectations by contract, and monitor them.

314.4-07

Keep it current

Adjust the program when systems, threats, or business operations change.

314.4-08

Incident response

Prepare a written plan for responding to and recovering from security events.

314.4-09

Reporting

Prepare a written annual report for the governing body or equivalent senior officer.

The small-firm rule matters

Fewer than 5,000 consumers?

16 CFR 314.6 exempts financial institutions that maintain customer information concerning fewer than 5,000 consumers from four requirements: the written risk assessment, penetration testing and vulnerability assessment requirements, the written incident response plan, and the annual written report.

The rest of the Safeguards Rule still applies. I apply the exemption before proposing work, because a defensible smaller scope is better than selling controls the rule does not require.

Read 16 CFR 314.6

03 · Engagement

Assessment first. Remediation second.

Fixed scope where the facts allow it. Explicit uncertainty where they do not.

  1. Phase 01

    Assessment and WISP

    Fixed price, fixed scope, typically 2–3 weeks.

    • Data inventory and vendor map
    • Risk assessment against actual systems
    • Gap analysis against the applicable elements
    • The WISP
    • Prioritized remediation plan with the exemption applied
  2. Phase 02

    Remediation

    Scoped after Phase 1.

    • MFA, encryption verification, access review, disposal, and logging
    • Vendor contract review
    • Staff training, delivered and documented
    • Evidence pack proving each implemented control exists
  3. Phase 03

    Keeping it true

    Optional ongoing Qualified Individual support, annual training, reassessment, and updates as the firm changes.

Published pricing

Assessment and WISP from $4,500. Typically 2–3 weeks.

Phase 2 at $185–225/hr. Phase 3 from $500/mo.

Book a 20-minute scoping call

Not for firms that want the document and not the controls.

Start with scope

Find out what the rule means for your actual firm.

No fear pitch. No upload of customer records. Just enough context to decide whether an assessment is useful.

Book a 20-minute scoping call