If you handle sensitive client data — whether you're a tax professional, a healthcare provider, a financial services firm, or a growing SaaS company — you've likely heard the term WISP thrown around in compliance conversations. But what does it actually mean to build one, and where do you even start?

A Written Information Security Program (WISP) is a documented framework that defines how your organization identifies, manages, and protects sensitive data. It's not just a bureaucratic checkbox — it's your roadmap for data security and, in many industries, a federal requirement.

Here's how to build a WISP from scratch, step by step.

What Is a WISP and Why Does It Matter?

A WISP is a comprehensive, written document that outlines the administrative, technical, and physical safeguards your organization uses to protect personally identifiable information (PII) and other sensitive data.

Under the Gramm-Leach-Bliley Act (GLBA) and the FTC Safeguards Rule (16 CFR Part 314), businesses classified as financial institutions — including tax professionals, CPAs, and accounting firms — are legally required to maintain a compliant WISP. Similarly, HIPAA mandates written security programs for healthcare organizations, and PCI-DSS requires one for any business that accepts credit or debit card payments.

The consequences of non-compliance are real. The FTC has assessed penalties reaching $500,000 for notification failures and up to $46,517 per violation per day for non-compliance. Beyond the legal exposure, a well-built WISP also protects your business reputation and builds client trust.

Step 1: Designate a Security Coordinator to Build Your WISP from Scratch

The first thing your WISP needs is a person responsible for it. At least one employee must be designated to coordinate and report on information security. In smaller organizations, this is often the owner or office manager. In larger ones, it may be an IT director or a dedicated compliance officer.

This person's responsibilities include:

• Overseeing the development and implementation of the WISP
• Coordinating security activities across departments
• Managing vendor relationships and third-party oversight
• Keeping the program updated as threats and regulations evolve

Document this designation formally inside the WISP itself. The role doesn't require a technical background — but it does require accountability.

Step 2: Conduct a Risk Assessment

Before you can protect your data, you need to know where it lives and what threatens it. Your risk assessment must list out the type of information your office handles and how that information may be potentially threatened — internally or externally, disclosed to unauthorized individuals, accidentally deleted, etc.

Your risk assessment should cover:

• Data inventory: What types of sensitive data do you collect, store, and transmit? (SSNs, financial records, health information, login credentials, etc.)
• Device inventory: Every device that stores or processes PII, including laptops, phones, servers, and cloud accounts.
• Threat identification: What are the realistic risks? Phishing attacks, ransomware, insider threats, physical theft, accidental disclosure.
• Current safeguard evaluation: What controls do you already have in place, and are they actually working?

This assessment becomes the foundation for every other section of your WISP. Revisit it at least once a year — or any time your business operations change significantly.

Step 3: Design and Document Your Safeguards

With risks identified, you can now define the controls you'll put in place to address them. Your WISP should document safeguards across three categories:

Technical safeguards:

• Multi-factor authentication (MFA) for all systems accessing sensitive data
• Encryption for data at rest and in transit
• Endpoint protection (antivirus, EDR)
• Access controls — only employees who need data should have access to it
• Regular software updates and patch management

Administrative safeguards:

• Employee security training and documented acknowledgments
• Password policies
• Background check procedures for personnel handling sensitive data
• Clear acceptable use policies

Physical safeguards:

• Locked filing cabinets and server rooms
• Visitor access controls
• Screen lock policies for workstations
• Secure disposal of physical records and devices

Don't overcomplicate this section. Write it in plain language that your team can actually follow.

Step 4: Build an Incident Response Plan

Your WISP must include a plan for what happens when something goes wrong. An incident response plan (IRP) defines the steps your organization takes when a data breach or security incident occurs.

At minimum, your IRP should cover:

• Detection and containment: How will you identify a breach? Who gets notified first?
• Assessment: What data was affected? How many individuals?
• Notification: The WISP must also address the requirement to report an incident to the FTC when 500 or more individuals are affected within 30 days of the incident. Many states have their own notification timelines — some as short as 24 hours.
• Recovery: How do you restore normal operations?
• Post-incident review: What changed to prevent recurrence?

Having this plan written in advance is the difference between a contained incident and an organizational crisis.

Step 5: Establish Vendor Oversight

Your security is only as strong as your weakest third party. Holding third-party vendors to the same standards as the company that originally collects the information is a central concept in a WISP. WISPs require that vendors be adequately vetted and that periodic risk assessments are included in the contract terms.

For every vendor or service provider with access to your client data — cloud storage, payroll platforms, CRMs, IT support — your WISP should document:

• How you vetted them before onboarding
• What contractual data protection obligations they've agreed to
• How you monitor their compliance on an ongoing basis

This section is frequently overlooked and frequently cited in breach investigations. Don't skip it.

Step 6: Train Your Team and Keep Records

A WISP that lives in a folder and never gets read isn't compliance — it's paperwork. Employee training is mandatory, not optional. Without documented training records, you can't prove compliance. Keep signed acknowledgments, training dates, and materials covered.

Your training program should be:

• Conducted at onboarding and refreshed at least annually
• Role-specific where possible (finance teams have different risk profiles than customer support)
• Documented — keep records of who attended, what was covered, and when

Step 7: Review, Test, and Update Annually

Tax professionals are legally required to have a written, accessible plan and should review, test and update it regularly. Adjustments should be made based on changes in the firm's operations or security testing and monitoring results.

Set a calendar reminder for an annual WISP review. Ask:

• Have our business operations changed?
• Have new threats emerged?
• Did any incidents occur that revealed gaps in the plan?
• Are all our vendor contracts still current?

A WISP is a living document, not a one-time project.

The Bottom Line: A WISP Protects More Than Data

Building a WISP from scratch may feel overwhelming, but it doesn't have to be. Start with a risk assessment, assign ownership, document your controls, and build from there. You don't need a perfect document on day one — you need a real one that your team actually follows and that improves over time.

Whether you're driven by compliance requirements, client expectations, or simply the desire to protect your business, a solid WISP is one of the highest-leverage investments you can make in your organization's security posture.

Ready to build your WISP but not sure where to start?

→ Our team at OCD Tech helps businesses of all sizes design, document, and implement Written Information Security Programs that meet compliance requirements and actually work in practice. Talk to an expert today — and stop leaving your data protection to chance.

‍