What Is a WISP and Why Your Organization Needs One

What Is a WISP and Why Your Organization Needs One

August 5, 2025

Running a business while protecting sensitive assets and maintaining compliance grows more challenging every year. The number and variety of threats is rapidly evolving as bad actors continue to search for and exploit security vulnerabilities. A Written Information Security Plan (WISP) is designed to address this risk and help companies achieve a robust and practical set of security controls.

What Is a WISP?

A WISP is a formal document that outlines how an organization identifies, assesses, and manages cybersecurity risks to protect sensitive data. A well written WISP includes administrative, technical, and physical safeguards tailored to your business environment. 

A Brief History of WISPs

The concept of WISPs emerged in response to the growing need for structured cybersecurity frameworks:

• 1996: HIPAA introduced the requirement for healthcare entities to implement security policies.
• 1999: The Gramm-Leach-Bliley Act (GLBA) mandated financial institutions to protect consumer data.
• 2003: The FTC’s Safeguards Rule required comprehensive information security programs.
• 2021–2024: Amendments to the Safeguards Rule and IRS regulations made WISPs mandatory for tax professionals and introduced breach reporting requirements 

These milestones reflect a broader trend: regulators increasingly expect organizations to proactively manage data security risks.

Who Is Required to Have a WISP?

WISPs are required for organizations that handle sensitive personal or financial data, including:

• Tax professionals: The IRS mandates WISPs as part of the PTIN renewal process.
• Financial institutions: GLBA and FTC Safeguards Rule compliance requires a WISP.
• Healthcare providers: HIPAA regulations require documented security policies.
• Businesses operating in certain states: States like Massachusetts and New York have their own WISP requirements.

Even if your organization isn’t legally required to have a WISP, implementing one can significantly reduce your risk exposure and better prepare you for security incidents.

What Should a WISP Include?

While the exact contents may vary by industry and regulatory framework, a strong WISP typically includes the following elements 

1. Purpose and Scope: Define the objectives and coverage of the plan.
2. Roles and Responsibilities: Identify who is responsible for implementing and maintaining security controls.
3. Risk Assessment: Outline how risks are identified and evaluated.
4. Security Policies: Include policies for access control, data classification, encryption, and incident response.
5. Training and Awareness: Describe employee training programs and ongoing awareness efforts.
6. Monitoring and Auditing: Detail how systems are monitored and how compliance is verified.
7. Incident Response Plan: Provide procedures for detecting, reporting, and responding to security incidents.
8. Review and Updates: Establish a schedule for reviewing and updating the WISP.

Why Partner With Us?

Our IT audit team has many years of experience in SOC 1, SOC 2 , HIPAA, and compliance engagements, and we understand the complexities of achieving regulatory compliance. By partnering with us to develop your WISP, you’ll gain:

• A customized plan aligned with your business and regulatory requirements.
• Expert guidance from auditors who understand both technical controls and legal obligations.

• Confidence that your organization is better prepared to address audits, security events, and emerging threats.
  
  

Find out more about our IT and SOC Audit services and answers to frequently asked questions we receive.  Larson and Company has developed a suite of services specifically to serve the needs of companies of all sizes in a wide range of industries.  Click here to schedule a free 2 hour consulation to discuss your company's needs.