IRS Publication 5708 Explained: WISP Requirements for Tax Preparers

If you prepare tax returns for compensation, the IRS expects you to maintain a Written Information Security Plan (WISP). Publication 5708 is the IRS's plain-language guide to building one. This article summarizes what it requires and where tax preparers most often fall short.

What Publication 5708 Covers

Publication 5708 outlines a six-part framework: a designated security coordinator, an information inventory, a risk assessment, a written security policy, monitoring and testing, and an incident-response plan. It also includes a sample WISP template you can adapt.

The Six Required Elements

1. Designate a security coordinator. One named person is accountable for the plan.
2. Inventory client information. Where it lives, who can access it, how it moves.
3. Assess risk. Identify reasonably foreseeable threats and vulnerabilities.
4. Document safeguards. Administrative, technical, and physical controls — including MFA, encryption, backups, and access controls.
5. Monitor and test. Phishing simulations, backup restore tests, access reviews.
6. Plan for incidents. Written response, notification, and escalation procedures.

Where Tax Preparers Fail

The most common gaps we see during WISP readiness reviews: no MFA on tax software, shared logins, untested backups, no phishing training cadence, and no documented incident-response plan. Each of these is a direct audit finding.

How This Connects to Cyber Insurance

A documented WISP shortens your cyber insurance questionnaire response time dramatically. Carriers ask for nearly the same controls Publication 5708 requires.

Getting Started

Download Wolf Tech's free WISP Starter Framework, or schedule a readiness review. We map your environment to Publication 5708's requirements and identify the highest-impact gaps to close first.