Inspection Criteria Overview

The overview list of the inspection criteria of the International Website Trust Standard (IWTS) is an extended explanation, which not only contains the technical aspects, but should also provide a non-specialist with a comprehensible explanation of the inspection contents and characteristics.

The description on this page is an informal statement. The inspection instructions for the audit in the certification procedure, inpsection for "conform" and "non-conform", are laid down in the IWTS standard manual.


Inspection areas

Note: The information in brackets within the headings indicates the variant of the IWTS-Standard for which the criteria are inspected.

DE = German variant
INT = International variant

Cyber Security

Four areas are examined for cyber security:

1. Inspection for open forwarding to another Internet address (DE & INT)

It will be checked whether the URL (internet address) given when the application is submitted is also the URL containing the areas to be inspected. If the URL changes after entering it in the address line and calling up the website, there is an open redirection and the inspection would not be successful.

2. Existence of the Hypertext Transfer Protocol Secure (HTTPS) (DE & INT)

The Hypertext Transfer Protocol Secure (HTTPS) is an extension of the Hypertext Transfer Protocol (HTTP) and is used for secure communication on the Internet. HTTPS is encrypted using SSL or TLS (see Cyber Security 3.). After calling up the website, the use of HTTPS can be recognized in the address line of the browser by displaying the character string https:// before the URL. If unencrypted communication were used, only http:// would be displayed and the inspection would not be successful.

Note: Some browser providers, such as Chrome or Opera, no longer display https:// or http:// in the address bar by default for cosmetic reasons. To make the complete URL, including https:// or http://, visible in the Chrome browser, double-click on the URL in the address bar.

3. Active encryption of the communication protocol by SSL/TLS (DE & INT)

Secure communication on the internet is guaranteed by strong encryption using an SSL or TLS certificate. Although the current standard of encryption is TLS (Transport Layer Security), the term SSL (Secure Sockets Layer) is still widely used.

The use of an SSL/TLS certificate can be recognized in the browser by the character string https://, which was checked in the previous section (Cyber Security 2.). On the other hand, it is also indicated by a symbol of a closed padlock at the beginning of the browser address line, which is usually displayed in green or grey, depending on the browser provider.

In order to ensure that the SSL/TLS certificate used on the website to be verified is valid and fully functional, i.e. that there are no security or warning messages, the verification of the SSL/TLS Certificate is performed using up-to-date, appropriate and reliable technical means.

4. Technical security test (DE & INT)

The technical condition of a website is inspected.

Cyber security also includes the technical condition of a website and thus the inspection of the website for security holes and possible technical compromises.

The IWTS-Standard tests rely on state-of-the-art tools and global databases for integrity monitoring to detect vulnerabilities, malware and viruses on a website. It is possible that a website is infected with malware or spam, or that poor technical conditions and settings are used to take control of a website in whole or in part. This procedure can cause damage to website operators and visitors to the website.

To ensure the highest possible security of the website, a check for currently known and relevant malicious systems and security holes is carried out.

A check tool tests the website for your security.

The test score must have at least the predicate "low risk" (Low). The best predicate is "minimal risk". This means that the website is classified as safe with low risk according to the IWTS-Standard.

There will be a cyber security test on:

  • Malware, viruses, spam, defacement, other site or security problems
  • Outdated software and plugins
  • Registration of the website in official blacklists (Google Safe Browsing, Norton Safe Web, McAfee, sucuri Labs, ESET, PhishTank, Yandex, Opera, Spamhaus)

The test shall be carried out using up-to-date, appropriate and reliable technical means.

Data Protection

1. Cookie-Notice Banner

a) Presence of cookies and subsequent need for a cookie-notice banner (DE)

The term cookie comes from the English vocabulary and can be translated in its original meaning with "Keks" (biscuit, cookie) into the German language. In connection with the Internet, a cookie describes a small text file that is stored locally on the user's computer when he or she visits a website. This file stores data about the user's behavior. If the corresponding website is visited repeatedly, the cookie is used and, with the help of the stored data, provides the web server with information about the user's surfing behavior and the visit to the website and adapts the visit to the website to the user's needs.

For all websites, the user must be informed about the use of cookies when visiting the site, unless the cookies are purely technical. This is done by means of a so-called cookie notice, usually in the form of a banner, which is clearly visible on the page and contains all prescribed content. Required contents are the information that cookies are used, a reference to the right of objection and to data protection as well as a link to the data protection declaration.

The presence of cookies and their nature is carried out with current, appropriate and reliable technical means.

Note: The cookie notice is only displayed when you first visit a website (or when the cookie storage period has expired or the browser has deleted the cookies) and if you have consented to the use of cookies. Subsequently, the consent is saved and stored in the browser cache, so that the cookie-notice does not appear as a banner on a further visit to the website. If no cookie-notice appears when the page is called up, it must be ensured that the website was actually visited for the first time. In case of doubt, the browser cache must be cleared and the page must be called up again for the entire period. If no cookie-notice appears when the page is called up again, this means that either no (non-technical) cookies are used and therefore no cookie-notice is necessary or that no cookie-notice exists.

b) Existence of a valid notice text in the cookie-notice banner (DE)

Necessary contents are the information that cookies are used, a reference to the right of objection and to data protection as well as a link to the privacy policy.

Examples of allowed cookie-notices (also relevant for the sections Data Protection, 1. Cookie-Notice Banner, c) and d)

c) Possibility to refuse cookies (DE)

The cookie-notice must offer the possibility to refuse the use of cookies by clicking on it. This is done either by means of an opt-out button (opt-out means to express an objection) in the cookie-notice or by means of a clear link to the location of the website where the cookie can be rejected.

d) Possibility to allow cookies (DE)

As well as the ability to refuse cookies, the cookie-notice must include the option to explicitly consent to the use of cookies. This is done either by means of an opt-in button (opt-in means expressing consent) or by means of a link that leads to active consent to the use of cookies by clicking on it. The button or the link must contain the designation allow/use/accept cookies. A mere reference or information on the use of cookies without the possibility of express consent is not sufficient. This also means that a button with the designation "OK" is not sufficient.

2. Privacy Policy

Note: All points of the following sections (Data protection, 2. Privacy Policy, a) - d)) also apply if the website to be certified contains additional English or other language versions. Necessary content must therefore also be included in the respective language.

a) Link to the privacy policy (DE)

The link to the privacy policy must be clearly visible on the home page as well as on each sub page. It must be located either in the upper header or in the lower footer. The link must read "Privacy Policy", "Data Privacy Statement", "Data Privacy Information" or "Data Protection Declaration" and link directly to the privacy policy page.

In the case of an additional English language version, be designated by one of the English terms "Privacy Policy", "Data Privacy Statement", "Data Privacy Information" or "Data Protection Declaration" or, in the case of another language, by the term "Privacy Policy" or Data Protection (or similar term) in that language.

b) Is there a privacy policy? (DE)

The privacy policy page must contain a detailed text entitled "Privacy Policy" which addresses the issue of privacy.

In the case of an English language version, the privacy statement page must also contain both a clear heading "Privacy Policy", "Data Privacy Statement", "Data Privacy Information" or "Data Protection Declaration" and address the issue of data protection in English or, in the case of another language, the heading "Privacy Policy" or "Data Protection" (or similar term) in that language and the issue of data protection in that language.

(c) The form of the privacy policy is clear and structured (DE)

A privacy policy must be clearly structured and easy to read. It must therefore be provided with headings, topic blocks, structured bullet points and paragraphs.

d) Company data in the privacy policy (DE)

One of the requirements of the privacy policy is that company data must be easily identifiable. For this reason, the company name, the address of the company and contact details must be listed under one of the headings of the privacy policy. The company data corresponds to the company data that is also listed in the legal notice. 

There are no fixed requirements as to how the heading of the section in the privacy policy in which the company data is included should be named. Nor are there any fixed requirements as to exactly where the company data must be located. However, the heading is often "Name and address of the controller" or similar.

3. Obligation to refer to existing data protection officer (DE)

If the company of the website under inspection has a data protection officer, it is obliged to state this in its privacy policy. This information is checked in this inspection criterion.

4. Web contact forms

a) Data protection notice (DE)

Any contact form or other data collection form available on the website under inspection must include a privacy notice. The privacy notice must also link to the privacy policy and be marked with the word "privacy policy" or "privacy" and thus acts as an acceptance of the notice. The data protection notice must be placed above the "Send" button, which triggers the transmission of the entered data. In the case of a contact or data collection form that does not authorize the future, unsolicited sending of messages (e.g. newsletter), no further consent is required, e.g. in the form of an unchecked checkbox that must be activated before sending the form data.

b) Data protection checkbox (DE)

If, in contrast to contact or data collection forms, these are newsletter forms or forms designated for notification actions, which enable the future, unsolicited sending of messages, an explicit consent to the data protection notice by the website visitor is required. This consent is generally given by an unchecked checkbox that must be actively clicked before the form data can be sent.

c) Personal data collection (DE & INT)

In each form, according to the type of form, only relevant, personal data may be collected through defined mandatory fields. 

For contact or data collection forms these are:

  • Salutation
  • Name
  • Email address
  • Subject
  • Text message

For forms in the sense of newsletter forms or similar, this is only the email address.

Any other data that may be requested must not be mandatory. The provision of this information is therefore voluntary by the user.

5. Data protection in terms of the General Data Protection Regulation (GDPR) and the Telemedia Act (TMG) (DE)

Some of the previous inspection criteria are additionally inspected to see whether they have been implemented on the website to be certified in accordance with the General Data Protection Regulation (GDPR, in German DSGVO) and the Telemedia Act (TMG). This applies to the following areas and the inspection corresponds to these:

  • Duty to provide information on the use of cookies, the possibility of refusing the use of cookies and the possibility of consenting to the processing of data by third parties
  • Secure data transmission using a valid SSL/TLS certificate
  • No blanket data collection with forms

Ownership & Identification Obligations

1. Ownership of the domain (DE & INT)

You confirm the domain via your domain host. Your domain host is usually the provider from whom you purchased the domain. Your domain host manages the so-called DNS entries. These are settings that control and manage internet access through your domain.

Confirmation is provided by depositing an individual and unique key (IWTS-Site-Verification-Key) provided by IWTS in the application process as a TXT entry, which must be added to the DNS records of your domain host. Detailed and easy-to-follow instructions on how to perform the verification process are provided with your application confirmation email after you have applied for certification or here: Preliminary Work Instructions

2. Ownership of the company (DE & INT)

In order to verify that the company, owner, address and registration data of the company correspond to the information on the website, appropriate proof must be provided before the audit begins.

The proof must be a current extract from the register. If the company or organization does not have to be entered in a register, the proof must be a business registration in the Trade Licensing Office. If the company or organisation does not have to be entered in a register or registered with the Trade Licensing Office, the proof must be another, up-to-date invoice document showing that the website to be certified belongs to the specified company. This can be a consumption, rental, electricity or internet connection bill.

3. Legal Notice and information contained therein

a) Clear perception of the legal notice (DE & INT)

Similar to the link to the privacy policy, on any website of the website to be inspected, in the header or footer, there must be a clearly visible link called "Legal Notice" which links to the legal notice page. Alternatively, however, the full legal notice information can also be clearly visible on any page of the website to be inspected. The complete legal notice details are the company name and the owner details, the registered office of the company, the legal form of the company, two different ways of contact, the person authorized to represent the company in the case of legal entities, mandatory details in the case of certain professional groups and, in the case of a web shop or sales page, the international value added tax (VAT) ID. The VAT ID must also be indicated by all other taxable website operators in the imprint, even if it has ever been applied for at the tax office (TMG).

b) Link to the legal notice page (DE & INT)

The legal notice link provided on each page of the website to be certified must lead directly to the legal notice page or to a separate area for the legal notice where the complete legal notice is listed.

c) Necessary information in the legal notice (DE & INT)

All required data must be given in the legal notice. These are in general:

  • Owner data/company information
  • Full owner name
  • Location of the company (address)
  • Registered company
  • Legal form of the company in the case of a legal entity
  • At least two different ways to get in contact
  • Authorized representative for legal persons
  • For a company, place and number of registration
  • Mandatory data for certain professional groups
  • Value added tax identification number for webshops or sales pages

User-friendliness (DE & INT)

The vast majority of website visits are now made using mobile devices such as smartphones and tablets. In order to guarantee user-friendliness on the one hand and to ensure that all tested points of the certification also apply to website visits with a mobile device on the other hand, the IWTS program demands that the websites to be certified have a responsive design. Responsive design means that the contents of the website are adapted to displays on mobile devices. Further information on responsive design can be found here:

With the IWTS certification, this means that in the mobile view, all forms, the privacy policy and the legal notice must be fully visible without horizontal scrolling. Text and images can protrude occasionally without limit, provided that not all text or images on a page protrude.

Further information on the IWTS-Standard

When certifying websites by the IWTS-Standard there is a wide range of factors how a website project should be checked.
Basically, everything should be kept simple and clear and primarily meet the requirements of safety and a legally compliant design.
For companies with... see part 2 below  

With enterprises with larger web page projects and the associated responsibility, often several individual specialized integrations are present, which take an important role, if it concerns the examination of a right-conformal implementation, which concerns thus also the examinability as well as the examining extent with a certification.

When operating a website project, mostly external companies or service providers are used, which take over important tasks in various areas of IT, including the creation, maintenance or servicing of the website project. The larger a project is, the more specialized the requirements, the implementation and the internal and external participants become.*

Since 2020, the IWTS-Standard has enabled certification even for complex websites. For this purpose, the applicant involves an reviewer who determines and confirms the professional and appropriate implementation.
Es können auch mehrere spezielle Fachexperten  für die Bereiche Cyber-Sicherheit, DSGVO, Recht und anderer Bereiche, wenn dies erforderlich ist, zusammenwirken, um eine fachgerechte Bestätigung zu ermöglichen.

*Initial situation:

Large website projects are often system relevant in their sphere of activity. The probability is much higher that damage can occur due to the size of the company, the complexity of the web application or the number of employees involved. Also the number of customers who can be harmed plays a decisive role for the necessary precautions and security in website projects. Added to this are the additional volumes of content, products, extended service pages or even media that are included in the web project.

However, smaller companies with less than 50 employees as well as online stores that want to have their website projects certified can also choose this testing standard by a consulting firm or an reviewer in order to receive the result of a successful test with an even stronger recognition in the test procedure.

Inspection details: see Program Manual Inspection Point P0043 here

Further information on the IWTS-Standard