A Written Information Security Plan (WISP) is a specific compliance document required by the FTC Safeguards Rule that must address nine mandatory elements and demonstrate how your accounting firm protects customer information. It’s legally required for firms covered by the Gramm-Leach-Bliley Act. A general IT security policy is a broader document covering your internal technology use, acceptable use, password requirements, and similar topics. While there’s overlap, the WISP must specifically address risk assessment, safeguard implementation, vendor management, incident response, monitoring/testing, training, and annual reporting. Many accounting firms need both documents, but the WISP is the regulatory requirement you’ll be audited against.