The overview list of the inspection criteria of the International Website Trust Standard (IWTS) is an extended explanation, which not only contains the technical aspects, but should also provide a non-specialist with a comprehensible explanation of the inspection contents and characteristics.
The description on this page is an informal statement. The inspection instructions for the audit in the certification procedure, inpsection for "conform" and "non-conform", are laid down in the IWTS standard manual.
Note: The information in brackets within the headings indicates the variant of the IWTS-Standard for which the criteria are inspected.
DE = German variant
INT = International variant
Four areas are examined for cyber security:
It will be checked whether the URL (internet address) given when the application is submitted is also the URL containing the areas to be inspected. If the URL changes after entering it in the address line and calling up the website, there is an open redirection and the inspection would not be successful.
The Hypertext Transfer Protocol Secure (HTTPS) is an extension of the Hypertext Transfer Protocol (HTTP) and is used for secure communication on the Internet. HTTPS is encrypted using SSL or TLS (see Cyber Security 3.). After calling up the website, the use of HTTPS can be recognized in the address line of the browser by displaying the character string https:// before the URL. If unencrypted communication were used, only http:// would be displayed and the inspection would not be successful.
Note: Some browser providers, such as Chrome or Opera, no longer display https:// or http:// in the address bar by default for cosmetic reasons. To make the complete URL, including https:// or http://, visible in the Chrome browser, double-click on the URL in the address bar.
Secure communication on the internet is guaranteed by strong encryption using an SSL or TLS certificate. Although the current standard of encryption is TLS (Transport Layer Security), the term SSL (Secure Sockets Layer) is still widely used.
The use of an SSL/TLS certificate can be recognized in the browser by the character string https://, which was checked in the previous section (Cyber Security 2.). On the other hand, it is also indicated by a symbol of a closed padlock at the beginning of the browser address line, which is usually displayed in green or grey, depending on the browser provider.
In order to ensure that the SSL/TLS certificate used on the website to be verified is valid and fully functional, i.e. that there are no security or warning messages, the verification of the SSL/TLS Certificate is performed using up-to-date, appropriate and reliable technical means.
The technical condition of a website is inspected.
Cyber security also includes the technical condition of a website and thus the inspection of the website for security holes and possible technical compromises.
The IWTS-Standard tests rely on state-of-the-art tools and global databases for integrity monitoring to detect vulnerabilities, malware and viruses on a website. It is possible that a website is infected with malware or spam, or that poor technical conditions and settings are used to take control of a website in whole or in part. This procedure can cause damage to website operators and visitors to the website.
To ensure the highest possible security of the website, a check for currently known and relevant malicious systems and security holes is carried out.
A check tool tests the website for your security.
The test score must have at least the predicate "low risk" (Low). The best predicate is "minimal risk". This means that the website is classified as safe with low risk according to the IWTS-Standard.
There will be a cyber security test on:
The test shall be carried out using up-to-date, appropriate and reliable technical means.
The term cookie comes from the English vocabulary and can be translated in its original meaning with "Keks" (biscuit, cookie) into the German language. In connection with the Internet, a cookie describes a small text file that is stored locally on the user's computer when he or she visits a website. This file stores data about the user's behavior. If the corresponding website is visited repeatedly, the cookie is used and, with the help of the stored data, provides the web server with information about the user's surfing behavior and the visit to the website and adapts the visit to the website to the user's needs.
The presence of cookies and their nature is carried out with current, appropriate and reliable technical means.
Examples of allowed cookie-notices (also relevant for the sections Data Protection, 1. Cookie-Notice Banner, c) and d)
If, in contrast to contact or data collection forms, these are newsletter forms or forms designated for notification actions, which enable the future, unsolicited sending of messages, an explicit consent to the data protection notice by the website visitor is required. This consent is generally given by an unchecked checkbox that must be actively clicked before the form data can be sent.
In each form, according to the type of form, only relevant, personal data may be collected through defined mandatory fields.
For contact or data collection forms these are:
For forms in the sense of newsletter forms or similar, this is only the email address.
Any other data that may be requested must not be mandatory. The provision of this information is therefore voluntary by the user.
Some of the previous inspection criteria are additionally inspected to see whether they have been implemented on the website to be certified in accordance with the General Data Protection Regulation (GDPR, in German DSGVO) and the Telemedia Act (TMG). This applies to the following areas and the inspection corresponds to these:
You confirm the domain via your domain host. Your domain host is usually the provider from whom you purchased the domain. Your domain host manages the so-called DNS entries. These are settings that control and manage internet access through your domain.
Confirmation is provided by depositing an individual and unique key (IWTS-Site-Verification-Key) provided by IWTS in the application process as a TXT entry, which must be added to the DNS records of your domain host. Detailed and easy-to-follow instructions on how to perform the verification process are provided with your application confirmation email after you have applied for certification or here: Preliminary Work Instructions
In order to verify that the company, owner, address and registration data of the company correspond to the information on the website, appropriate proof must be provided before the audit begins.
The proof must be a current extract from the register. If the company or organization does not have to be entered in a register, the proof must be a business registration in the Trade Licensing Office. If the company or organisation does not have to be entered in a register or registered with the Trade Licensing Office, the proof must be another, up-to-date invoice document showing that the website to be certified belongs to the specified company. This can be a consumption, rental, electricity or internet connection bill.
The legal notice link provided on each page of the website to be certified must lead directly to the legal notice page or to a separate area for the legal notice where the complete legal notice is listed.
All required data must be given in the legal notice. These are in general:
The vast majority of website visits are now made using mobile devices such as smartphones and tablets. In order to guarantee user-friendliness on the one hand and to ensure that all tested points of the certification also apply to website visits with a mobile device on the other hand, the IWTS program demands that the websites to be certified have a responsive design. Responsive design means that the contents of the website are adapted to displays on mobile devices. Further information on responsive design can be found here: https://fdwb.de/responsive-design
When certifying websites by the IWTS-Standard there is a wide range of factors how a website project should be checked.
Basically, everything should be kept simple and clear and primarily meet the requirements of safety and a legally compliant design.
For companies with... see part 2 below
With enterprises with larger web page projects and the associated responsibility, often several individual specialized integrations are present, which take an important role, if it concerns the examination of a right-conformal implementation, which concerns thus also the examinability as well as the examining extent with a certification.
When operating a website project, mostly external companies or service providers are used, which take over important tasks in various areas of IT, including the creation, maintenance or servicing of the website project. The larger a project is, the more specialized the requirements, the implementation and the internal and external participants become.*
Since 2020, the IWTS-Standard has enabled certification even for complex websites. For this purpose, the applicant involves an reviewer who determines and confirms the professional and appropriate implementation.
Es können auch mehrere spezielle Fachexperten für die Bereiche Cyber-Sicherheit, DSGVO, Recht und anderer Bereiche, wenn dies erforderlich ist, zusammenwirken, um eine fachgerechte Bestätigung zu ermöglichen.
Large website projects are often system relevant in their sphere of activity. The probability is much higher that damage can occur due to the size of the company, the complexity of the web application or the number of employees involved. Also the number of customers who can be harmed plays a decisive role for the necessary precautions and security in website projects. Added to this are the additional volumes of content, products, extended service pages or even media that are included in the web project.
However, smaller companies with less than 50 employees as well as online stores that want to have their website projects certified can also choose this testing standard by a consulting firm or an reviewer in order to receive the result of a successful test with an even stronger recognition in the test procedure.
Inspection details: see Program Manual Inspection Point P0043 here