What is a Written Information Security Program (WISP)?

Home  »  Blog  »  Cyber Security  »  What is...

By Bill Minahan   |   August 6, 2020   |   6 Comments

What is a Written Information Security Program?

A Written Information Security Program (WISP) is a document that details an organization’s security controls, processes, and policies. A WISP is a roadmap for an organization’s IT security and is legally required by several states.

Data security laws are in place to ensure that businesses that own, license, or maintain personal information about residents implement and maintain reasonable security procedures and practices.

The number of states with data security laws has doubled since 2016, reflecting an increase in data breaches and cyber crime.

A Written Information Security Program is designed to provide your organization with solid security procedures that not only reduce your chance of a breach but also limit your liability if one were to occur.

A WISP demonstrates to law enforcement and the public that your business has reasonable security measures in place. Likewise, a well-crafted WISP also shows your customers and employees that you value their data and take the responsibility of securing it seriously.

For instance, one of the key elements of a WISP that every business is expected to undertake is a cyber security assessment. A cyber security assessment evaluates and identifies your risks and therefore allows your team to mitigate them in order of magnitude and likelihood of the threat.

A cyber security assessment provides your organization with a benchmark of your security so that your team can start building your WISP with greater visibility into your IT security environment.

aNetworks offers a free cyber security assessment tool that generates a report on your organization’s security posture.

What does a WISP cover?

Written Information Security Programs (WISPs) can vary greatly in what security controls they cover. How comprehensive your WISP is will depend on your industry, size, and which state laws you must comply with. As a result, WISPs can fluctuate depending on which security framework your business follows.

For the vast majority of businesses, a WISP is a legal requirement that ensures adequate administrative, technical, and physical safeguards are in place for your business to protect personally identifiable information (PII). Furthermore, a WISP requires proper documentation of these safeguards.

Specifically, WISPs address the following security areas:

  • Designating employees responsible for the security program
  • Identifying as well as assessing security risks
  • Developing policies for the storage, access, and transportation of personal information
  • Imposing disciplinary measures for violations of the WISP
  • Limiting access by or to terminated employees
  • Overseeing the security practices of third-party vendors as well as contractors
  • Restricting physical and digital access to records
  • Monitoring and then reviewing the scope and effectiveness of the WISP
  • Documenting data security incidents and responses

Additionally, there are also certain technical requirements of WISPs that can include the following:

  • Securing users credentials
  • Restricting access to PII on a need-to-know basis
  • Encrypting the transmission and storage of personal information
  • Monitoring security systems
  • Updating firewalls, security patches, anti-virus, and anti-malware software
  • Training employees on security policies as well as the proper use of computer security systems

Apart from the legal obligation of WISPs, creating a well-written and tailored WISP will reduce your risk of a data security incident and allow you to respond quickly if one were to occur. As a result, in most cases, it’s in the best interest of a business to implement and maintain a WISP.

The more detailed and comprehensive your WISP is, the less likely you are to become a victim of a cyber security incident. Your WISP should be tested and updated frequently. However, a “paper-plan” security program is better than no program at all.

Which states require a Written Information Security Program?

The following is a comprehensive list of states that have enacted data security laws that require a WISP or similar alternative:

  • Alabama
  • Arkansas
  • California
  • Colorado
  • Connecticut
  • Delaware
  • Florida
  • Illinois
  • Indiana
  • Kansas
  • Louisiana
  • Maryland
  • Massachusetts
  • Minnesota
  • Nebraska
  • Nevada
  • New Mexico
  • New York
  • Ohio
  • Oregon
  • Rhode Island
  • South Carolina
  • Texas
  • Utah
  • Vermont
  • District of Columbia

If you are interested in the specific requirements your state imposes for data security laws, then please contact us. Our compliance experts are versed in data security laws throughout the U.S. and have ample experience meeting compliance requirements for a variety of frameworks. As a result, we can quickly and efficiently determine which WISP framework works best for your business in order to save you both time and money.

Written Information Security Programs

If your organization is looking to implement a WISP, then a good place to start is a cyber security assessment. An assessment will highlight which areas of your IT security are the most vulnerable.

As a result, you can build your WISP and implement security controls around the areas that require the most attention. In most cases, businesses that have a WISP in place are more secure and far less likely to face fines and penalties than their competitors.

If you are looking to outsource your written information security program, then aNetwork’s provides writing services as well as implementation services.

If you are interested in our written WISP services, then please fill out the form below and we will send you a quote within 24 hours.


Additionally, you can call us at 855-459-6600.

If you are looking for more information, then check out our resource center.

Finally, you can always find us on Twitter, LinkedIn, and Facebook.


Zoe Cullen

August 11, 2020 | 8:39 am

Of course!


August 9, 2020 | 1:24 am

Hello! Would you mind if I share your blog with my twitter group? There's a lot of folks that I think would really appreciate your content. Please let me know.


August 8, 2020 | 3:22 pm

I visited multiple web sites however this explanation is truly excellent.


August 8, 2020 | 9:36 am

great, you gained a new reader.


August 7, 2020 | 11:08 pm

helpful blog from start to end.


August 7, 2020 | 8:10 pm

keep up writing.