ISO 27001 is an international, certifiable security management standard; a WISP is the US-required information security program for financial institutions.
ISO 27001 is an international standard for Information Security Management Systems (ISMS), with formal certification awarded by accredited registrars. It requires a comprehensive ISMS covering risk management, control implementation, internal audits, and continual improvement. A WISP is the document required by the FTC Safeguards Rule and IRS Publication 4557 for financial institutions in the US. A WISP can be aligned with ISO 27001 controls but does not need to be.
Most US CPA firms do not need ISO 27001 certification. They need a WISP. ISO 27001 becomes relevant when a firm serves international clients, particularly in the EU or UK, where enterprise procurement teams expect it. Pursuing ISO 27001 unnecessarily costs $50,000 to $150,000 over the first cycle and adds ongoing audit costs. A well-built WISP satisfies regulators and most US insurance carriers without it.
A documented set of policies and procedures describing how your firm protects sensitive client data.
SOC 2 is a third-party audit of service organizations; a WISP is an internal security program required of financial institutions.
A federal regulation requiring financial institutions, including tax preparers, to develop and maintain a comprehensive information security program.
Buy the WISP yourself if you need the document.
Talk to us if you want the platform.
We use cookies to measure site performance and improve your experience. No data is sold to third parties. Privacy Policy