Understanding Written Information Security Plans

Written by Marc Umstead | Jul 28, 2025
The importance of securing sensitive information has never been more critical for accounting firms. In fact, it is vital that firms have a written information security plan, also known as a WISP.

As the digital landscape evolves, the importance of securing sensitive information has never been more critical for accounting firms. In fact, it is vital that firms have a written information security plan (WISP) – a comprehensive policy document that outlines how a firm protects its sensitive data. This blog post delves into the essential components of a WISP and highlights the necessary evidence and reports required to complete it effectively.

Key Components of a WISP

There are generally eight key features to a WISP. Below I briefly outline these basic components.

Introduction – This section sets the stage by providing an overview of the purpose and scope of the WISP. It includes the firm’s commitment to safeguarding information and the regulatory requirements it complies with, such as the Federal Trade Commission (FTC) Safeguards Rule, the Health Insurance Portability and Accountability Act (HIPAA), or state-specific privacy laws.

Risk Assessment – A thorough risk assessment identifies potential threats and vulnerabilities to the firm’s information systems. This section should detail the methods used to conduct the risk assessment, including the following:

  • Network vulnerability scans
  • Penetration testing
  • Questionnaires
  • Review of previous security incidents

Information Security Policies – This section outlines the specific policies and procedures designed to protect sensitive data. Key policies often include:

  • Data classification and handling
  • Access control and user authentication
  • Encryption standards
  • Incident response and management
  • Data backup and recovery

Employee Training and Awareness – Employee education is crucial for the effectiveness of a WISP. This section should describe the firm’s training programs, including:

  • Regular security awareness training sessions
  • Phishing simulation exercises
  • Policy acknowledgment and compliance tracking

Physical Security Measures – Protecting physical access to sensitive information is equally important. This section covers the measures in place to secure physical premises. Some items covered may include:

  • Access control systems (badges, biometric scanners)
  • Surveillance cameras
  • Secure disposal of documents and hardware

Technical Controls – Technical controls play a vital role in protecting digital information. This section should detail the technical safeguards implemented. Here are a few items that may be discussed:

  • Firewalls and intrusion detection systems
  • Antivirus and anti-malware software
  • Regular software updates and patch management
  • Data loss prevention tools

Incident Response Plan – In the event of a security breach, having a well-defined incident response plan is essential. This section should outline the steps to be taken, such as the following:

  • Immediate containment and mitigation efforts
  • Notification procedures for affected parties
  • Investigation and documentation of the incident
  • Post-incident analysis and remediation

Audit and Monitoring – Regular auditing and monitoring are critical to ensure ongoing compliance and effectiveness of the WISP. This section should describe the following:

  • Internal and external audits
  • Continuous monitoring of network activity
  • Review and update of security policies
Necessary Evidence and Reports

To ensure the completeness and effectiveness of a WISP, accounting firms must gather and maintain specific evidence and reports. Here are some of the reports, logs, and forms you should be gathering:

  • Risk Assessment Reports – Detailed reports from risk assessments, including identified vulnerabilities, potential impacts, and recommended mitigation strategies.
  • Training Records – Documentation of employee training sessions, attendance records, and results from training assessments.
  • Incident Reports – Thorough documentation of any security incidents, including the nature of the incident, actions taken, and outcomes.
  • Audit Logs – Logs from regular audits, detailing findings, corrective actions, and compliance status.
  • Network and System Logs – Continuous monitoring logs that capture network activity, system events, and potential security threats.
  • Policy Acknowledgment Forms – Signed forms from employees acknowledging their understanding and compliance with the firm’s information security policies.
  • Backup and Recovery Test Reports – Results from periodic testing of data backup and recovery procedures to ensure reliability.

A comprehensive WISP is essential for accounting firms to protect sensitive information and comply with regulatory requirements. By understanding the key components and gathering the necessary evidence and reports, firms can build a robust information security framework that ensures the safety and integrity of their data.

Marc Umstead is president of technology solution provider Plus 1 Technology in Pottstown, Pa. He can be reached at mumstead@plus1technology.com.

Sign up for PICPA's weekly professional and technical updates by completing this form.

Statements of fact and opinion are the authors’ responsibility alone and do not imply an opinion on the part of the PICPA's officers or members. The information contained herein does not constitute accounting, legal, or professional advice. For actionable advice, you must engage or consult with a qualified professional.
View full post