What Is a WISP (Written Information Security Plan) and Do You Need One?
If you have heard the term “WISP” thrown around in compliance conversations and were not sure whether it applied to your business, you are not alone. A Written Information Security Plan is one of the most important — and most commonly required — security documents a small business can have, and for many businesses it is not optional. Here is what a WISP is, who needs one, what goes in it, and how to create one without getting overwhelmed.
What a WISP is
A Written Information Security Plan (WISP) is a formal, documented description of how your business protects the sensitive information it holds — customer data, employee records, financial details, and anything else that must be kept private. It is not a piece of software or a one-time task; it is a living document that describes your security program: what data you have, the risks to it, the safeguards you use, who is responsible, and how you respond when something goes wrong. In plain terms, it is your security plan written down so it can be followed, reviewed, and proven.
Why “written” matters
Plenty of small businesses have informal security practices in someone’s head. A WISP forces those practices to be documented, which does three things: it makes your protections consistent and repeatable rather than dependent on one person, it gives you something to train staff against, and — critically — it provides the evidence regulators, insurers, and clients increasingly demand. When a regulator asks how you protect data, “we’re careful” is not an answer; a WISP is.
Who needs a WISP
For a growing number of businesses, a WISP is legally required, not just a best practice:
- Financial institutions under the FTC Safeguards Rule — a broad category that includes mortgage brokers, auto dealers, tax preparers, collection agencies, and many other non-bank businesses — must maintain a written information security program. See our guide to the FTC Safeguards Rule.
- Tax and accounting professionals are required by the IRS to have a written data security plan to protect taxpayer information.
- Businesses in states with data-protection laws — Massachusetts’s 201 CMR 17.00 is the best-known — must have a WISP if they hold residents’ personal information.
- Contractors and vendors whose clients require documented security as a condition of doing business.
Even when it is not strictly required, a WISP is strongly advisable for any business that holds sensitive data, because it is the backbone of a defensible security program.
What goes in a WISP
A solid WISP generally covers: the scope and the data you protect; a designated person responsible for the program; a risk assessment identifying threats to your data; the administrative, technical, and physical safeguards you use (access controls, encryption, multi-factor authentication, training, secure disposal); how you oversee service providers who touch your data; an incident response plan; and a schedule for reviewing and updating the plan. The level of detail scales with your size and risk — a small firm’s WISP can be concise, but it must be real and followed.
How to create one
Start by inventorying the sensitive data you hold and where it lives. Assess the risks to that data. Document the safeguards you already have and identify gaps to close. Assign clear ownership. Write it in plain language your team can actually follow, then train everyone on it and review it at least annually or after any major change. You do not need to start from a blank page — a proven template tailored to your situation saves enormous time, and our cybersecurity policy guide covers the supporting policies that pair with a WISP. If you would rather have the plan built and reviewed by professionals, Veteran Forge Strategies helps small businesses develop and maintain compliant security programs.
Keeping it alive
The most common WISP mistake is writing one and filing it away. A WISP is only valuable if it reflects what you actually do and gets updated as your business changes — new systems, new staff, new data, new threats. Schedule a review at least once a year, refresh it after any significant change or incident, and keep records of those reviews. A current, followed WISP protects your data, satisfies regulators, and reassures clients; a stale one sitting in a drawer protects no one.
Common WISP mistakes to avoid
Most WISP problems are not about the writing itself but about how the plan is treated. The first and biggest mistake is the “shelf document” — a WISP created once to satisfy a checkbox, then never followed or updated. A plan that does not reflect what you actually do is worse than none, because it documents a gap between your stated and real practices that a regulator or plaintiff can point to. The second common error is copying a generic template verbatim without tailoring it to your business; if your WISP claims safeguards you do not have, or omits systems you do use, it fails on contact with reality. A third mistake is making it the IT person’s private document rather than something leadership owns and staff are trained on — security programs that live in one person’s head collapse when that person leaves. Other frequent gaps include failing to inventory all the places sensitive data actually lives (cloud apps, personal devices, email, paper files), forgetting to address service providers who handle your data, and never testing the incident response plan until a real incident exposes that no one knows their role. Finally, many businesses skip the review cadence; without a scheduled annual review and updates after major changes, even a good WISP drifts out of date within a year. Avoid these traps by treating the WISP as a living operational document — tailored, owned by leadership, trained on, tested, and reviewed — and it becomes a genuine asset rather than a liability waiting to be discovered.
Key takeaways
- A WISP is a written description of how your business protects sensitive information.
- It is legally required for FTC-covered financial institutions, tax preparers, and businesses in states like Massachusetts.
- It covers data scope, ownership, risk assessment, safeguards, vendor oversight, and incident response.
- Keep it living — review at least annually and after major changes.
Frequently asked questions
Is a WISP legally required? For many businesses, yes — FTC-covered financial institutions, tax professionals, and businesses under state laws like Massachusetts’s 201 CMR 17.00 must have one.
How long does a WISP need to be? Long enough to be real and followed — a small business’s WISP can be concise, but it must accurately describe your safeguards and be kept current.
Can I use a template? Yes — a quality template tailored to your business is a smart starting point, as long as the final plan reflects what you actually do.
This article is for general informational purposes only and is not legal advice. Verify the requirements that apply to your business and jurisdiction.
Get your WISP done — the easy way
Our WISP & FTC Safeguards Pack gives you a ready-to-tailor Written Information Security Program plus a compliance checklist, risk assessment, and vendor oversight log.
Get the WISP Pack ($39) →From Veteran Forge · editable template · instant download