If you handle sensitive client data — whether you're a tax professional, a healthcare provider, a financial services firm, or a growing SaaS company — you've likely heard the term WISP thrown around in compliance conversations. But what does it actually mean to build one, and where do you even start?

A Written Information Security Program (WISP) is a documented framework that defines how your organization identifies, manages, and protects sensitive data. It's not just a bureaucratic checkbox — it's your roadmap for data security and, in many industries, a federal requirement. Here's how to build a WISP from scratch, step by step.

What Is a WISP and Why Does It Matter?

A WISP is a comprehensive, written document that outlines the administrative, technical, and physical safeguards your organization uses to protect personally identifiable information (PII) and other sensitive data. Under the Gramm-Leach-Bliley Act (GLBA) and the FTC Safeguards Rule (16 CFR Part 314), businesses classified as financial institutions — including tax preparers, CPAs, accounting firms, and mortgage brokers — are legally required to maintain a compliant WISP.

Similarly, HIPAA mandates written security programs for healthcare organizations, and PCI-DSS requires one for any business that accepts credit or debit card payments. The consequences of non-compliance are real: the FTC has assessed penalties reaching $46,517 per violation per day. For tax professionals, false certification of compliance on PTIN renewal constitutes perjury on a federal form. Beyond the legal exposure, a well-built WISP protects your business reputation and builds client trust in a way that no marketing message can replicate.

Step 1: Designate a Security Coordinator to Build Your WISP from Scratch

The first thing your WISP needs is a named person responsible for it. At least one employee must be designated to coordinate and report on information security. In smaller organizations, this is often the owner or office manager. In larger ones, it may be an IT director or dedicated compliance officer. What it cannot be is a department, a title with no name, or nobody.

This person's responsibilities include overseeing the development and implementation of the WISP, coordinating security activities across departments, managing vendor relationships and third-party oversight, and keeping the program updated as threats and regulations evolve. Document this designation formally inside the WISP itself — with their name, title, reporting structure, and scope of authority.

Step 2: Conduct a Risk Assessment

Before you can protect your data, you need to know where it lives and what threatens it. Your risk assessment must cover your complete data inventory (what types of sensitive data you collect, store, process, and transmit), your device inventory (every device that touches PII, including laptops, phones, servers, and cloud accounts), threat identification (phishing, ransomware, insider threats, accidental disclosure), and an honest evaluation of how effective your current controls actually are.

This assessment becomes the foundation for every other section of your WISP. If a control exists but has no corresponding risk in your assessment, it's undocumented. If a risk exists but has no control, you have a gap that regulators will find. Revisit your risk assessment at least once a year — or any time your business operations change significantly.

Step 3: Design and Document Your Safeguards

With risks identified, you can now define the controls you'll implement to address them. Your WISP should document safeguards across three categories. Technical safeguards include multi-factor authentication for all systems accessing sensitive data, encryption for data at rest and in transit, endpoint protection, access controls enforcing least privilege, and regular patch management. Administrative safeguards cover employee security training, password policies, background check procedures, and acceptable use policies. Physical safeguards address locked server rooms, visitor access controls, screen lock policies, and secure disposal of physical records and devices.

Write these in plain language your team can actually follow. A safeguards section that reads like a legal document will sit unread in a folder and provide no real protection — or defense in an audit.

Step 4: Build an Incident Response Plan

Your WISP must include a documented plan for what happens when something goes wrong. An incident response plan defines the steps your organization takes when a data breach or security incident occurs. At minimum, it must cover detection and containment (how will you identify a breach and who gets notified first), assessment (what data was affected and how many individuals), notification procedures (the FTC requires reporting within 30 days for incidents affecting 500 or more individuals, and many states have shorter timelines), recovery, and post-incident review.

Having this plan written in advance is the difference between a contained incident and an organizational crisis. A plan that exists only in someone's head is not a plan — it's a liability.

Step 5: Establish Vendor Oversight

Your security is only as strong as your weakest third party. For every vendor or service provider with access to your client data — cloud storage, payroll platforms, CRMs, IT support — your WISP must document how you vetted them before onboarding, what contractual data protection obligations they've agreed to, and how you monitor their compliance on an ongoing basis. This section is frequently overlooked and frequently cited in breach investigations. Don't skip it.

Step 6: Train Your Team and Keep Records

A WISP that lives in a folder and never gets read isn't compliance — it's paperwork. Employee training is mandatory under the FTC Safeguards Rule, and without documented records, you cannot prove compliance. Keep signed acknowledgments, training dates, and materials covered. Training should occur at onboarding and be refreshed at least annually, with role-specific content where possible.

Step 7: Review, Test, and Update Annually

Set a calendar reminder for an annual WISP review. Ask whether your business operations have changed, whether new threats have emerged, whether any incidents revealed gaps, and whether all vendor contracts are still current. A WISP is a living document. Regulators and auditors look for evidence of active program management — not just a document that was written once and never touched again.

Ready to Build Your WISP?

Building a WISP from scratch doesn't have to be overwhelming. Start with a risk assessment, assign ownership, document your controls, and build from there. OCD Tech helps businesses of all sizes design, document, and implement Written Information Security Programs that meet compliance requirements and actually work in practice. Talk to an expert today and stop leaving your data protection to chance.