Written Information Security Program (WISP)

Almost nobody comes looking for a WISP because they want one. Somebody told you to have one. A cyber insurance application asked whether you maintain a written information security program. A client's procurement team sent a questionnaire with that exact line on it. The IRS reminded your tax practice that a written data security plan is required. A state law put the obligation in writing. The acronym lands on your desk as a requirement, and the question underneath it is the same every time: where do we get one, and does the one we have actually count.

Here's the honest read after the programs we've reviewed. Most firms already do a lot of the right things. The MFA is on, the laptops are encrypted, the backups run. What's missing is the document that ties those pieces together, names the person who owns them, and proves the firm thought it through. A pile of controls and a written program are not the same thing, and the WISP is the second one. This page covers what a WISP actually is, who requires one, and how we build it so it holds up when someone asks to see it.

What a WISP actually is

A Written Information Security Program is the document that describes how your business protects sensitive information: what data you hold, where it lives, what threatens it, the controls you run against those threats, who is responsible, and what happens when something goes wrong. It is built on a written risk assessment, not a logo dropped onto a template. The risk assessment is the part that makes it yours, and it's the part the downloaded versions skip.

A real WISP covers the same ground regardless of which regime is asking for it. It inventories where regulated or sensitive data sits. It names a responsible person who owns the program. It documents access controls, encryption, multi-factor authentication, monitoring, and secure disposal. It includes an incident response plan and a schedule for keeping the whole thing current. The framework underneath might be the FTC Safeguards Rule, IRS guidance, a state statute, or an insurer's expectations, but the artifact looks broadly similar across all of them. Build it once, properly, and it answers most of the people who will ever ask.

Who actually requires one

The WISP shows up under more than one authority, which is why so many businesses run into it from a direction they didn't expect.

For financial institutions as the FTC defines them, which reaches tax preparers, CPA firms, bookkeepers, mortgage brokers, and auto dealers that arrange financing, the FTC Safeguards Rule requires a written Information Security Program maintained by a designated Qualified Individual. That is a WISP by another name, and it has carried enforcement weight since June 2023. The regulation itself, the penalties, and how the program gets built sit on our FTC Safeguards Rule page.

For paid tax return preparers, the IRS requires a written data security plan, and Publication 4557 lays out what it has to contain. PTIN renewal asks preparers to confirm they have one. The operational side of a tax practice, the seasonal staff and the client portal and tax-season scheduling, lives on our IT for CPAs page.

For businesses that hold personal information on residents of certain states, state data-protection laws require a written program directly. The most cited example names the WISP explicitly and applies to any business holding covered residents' personal information, in or out of that state. If you sell or serve across state lines, one of these probably reaches you.

And then there's the audience that has nothing to do with regulation: your own customers and your insurer. A client's vendor questionnaire and a cyber insurance application both ask whether you maintain a written information security program, and both treat a "no" as a problem. Cyber insurance readiness is its own subject, covered on our Cyber Insurance page.

Why the downloaded version fails

A WISP you pulled off the internet and filled in your name fails for one reason: it describes a generic business, not yours. The risk assessment underneath it is the whole point, and a template doesn't have one. When an examiner, an auditor, or an insurer's investigator reads a WISP, they're checking whether it matches the environment in front of them. A program that lists controls you never implemented, or omits systems you actually run, is worse than no program, because now there's a signed document that doesn't match reality.

The other failure is age. A WISP is a living document. It's supposed to change when you add a location, swap a core system, bring on a vendor with access, or change who's responsible. The version that was accurate the day it was written drifts out of date the first time the business changes, and most of the WISPs we review on prospect assessments describe a company that no longer exists. A current, accurate program is worth more than a thorough one that's three years stale.

How we build it

We don't write a WISP as a standalone document while another firm runs your systems. That's the rule that runs through everything on our Compliance Services hub: the program describes a security posture that's supposed to be live on real machines, and when one company writes the document and another operates the network, the two drift apart within a quarter. The next questionnaire, audit, or claim is where that gap shows up.

So the WISP is built as part of a Managed IT Services engagement. We run the risk assessment against your actual environment, write the program to match what's really there, implement the controls it calls for, name and support the person who owns it, build the incident response plan, and keep the document current as the business changes. When you swap a system or add an office, the program changes with it, because the team making the change is the team holding the pen. We run the same discipline on our own business, hosting and securing our own customer-facing infrastructure and carrying our own compliance obligations every year, so the program we build for you is one we keep for ourselves.

Where to start

A short call is enough to find out whether you actually need a WISP, which authority is driving it, and whether the one you have would survive a look. Bring the questionnaire, the insurance application, or the letter that sent you here, or come without one and we'll figure out which regimes reach you. Thirty minutes, no commitment.

Book an exploratory call

Frequently asked questions

Is a WISP the same thing as FTC Safeguards compliance?
Closely related, not identical. The FTC Safeguards Rule requires a written Information Security Program, which is a WISP, so for a covered financial institution the two overlap almost completely. But the WISP also satisfies IRS requirements for tax preparers, state data-protection laws, and the written-program question on insurance and client questionnaires. We build one program and document it for whichever audiences apply to you. The Safeguards Rule specifically is covered in full on our FTC Safeguards Rule page.

Can't we just download a WISP template and fill it in?
You can, and it won't hold up. The value of a WISP is the risk assessment underneath it, which describes your actual data, systems, and threats. A template has a generic one or none at all. An examiner or insurer reads the program against your real environment, and a document that doesn't match is a liability, not protection. The template is a starting outline at best, never the finished program.

Who has to be named as responsible for the program?
Most regimes require a designated individual who owns the information security program and answers for it. Under the FTC Safeguards Rule that role is called the Qualified Individual. It can be someone inside your business, and we support that person rather than replace them, bringing the technical depth and the documentation while they hold the accountability the rule assigns to your firm.

How often does a WISP need updating?
Whenever the environment it describes changes, and at least annually. A new location, a new core system, a new vendor with access, or a change in who's responsible all trigger an update. A WISP that hasn't moved in three years almost certainly describes a business that has. Keeping it current is the main reason the program and the live systems belong with one team.

We already have an IT company. Doesn't that cover the WISP?
Not by itself. A typical IT support contract keeps systems running. It doesn't produce a written risk assessment, a named responsible individual, a documented incident response plan, or a program that's maintained as the business changes. Good IT support is necessary for a real WISP and not sufficient on its own. The question to ask your current provider is who wrote your risk assessment and when.

Book an exploratory call