Practical checklist

Accounting Firm WISP Checklist

Use this checklist to connect the written information security plan to real safeguards, responsible roles, vendor oversight, incident preparation, and recurring review.

Plan scope and responsibility

  • Identify covered customer information, business processes, systems, devices, locations, and service providers.
  • Designate the qualified individual or responsible role overseeing the information security program.
  • Document management approval, reporting expectations, and review cadence.
  • Keep an inventory of information systems and data flows.

Risk assessment and safeguards

  • Document foreseeable internal and external risks and evaluate existing safeguards.
  • Implement access controls, multifactor authentication, secure configurations, encryption, endpoint protection, and logging based on risk.
  • Protect email, remote work, file sharing, tax applications, backups, and administrator accounts.
  • Track remediation actions, owners, dependencies, and completion evidence.

People, vendors, and incidents

  • Provide workforce training and maintain acknowledgements and completion records.
  • Apply onboarding, role-change, termination, and access-review procedures.
  • Evaluate service providers, document contractual responsibilities, and review material vendors periodically.
  • Maintain an incident response plan, reporting process, contact list, and recovery procedures.

Review and evidence

  • Review the WISP after significant changes and on a defined recurring schedule.
  • Retain risk assessments, access reviews, training records, vendor reviews, test results, and management reports.
  • Document material events, control exceptions, and approved risk decisions.
  • Confirm that the written plan accurately reflects current operating practices.

Move beyond a template document

A WISP should reflect the firm’s actual systems, risks, safeguards, responsibilities, and review process. This checklist is operational guidance and should be reviewed with qualified legal or regulatory advisors where needed.

Explore WISP implementation