An API gateway is a central entry point for API traffic that consolidates functions such as authentication, rate limiting, logging, and routing. Well-known implementations include Kong, AWS API Gateway, and Azure API Management.
In an ISMS, an API gateway supports implementation of several ISO 27001 Annex A controls: A.8.20 (Network Security) through centralized access control, A.8.16 (Monitoring Activities) through unified logging, and A.8.25 (Secure Development) through consistent security rules across all APIs. Without a gateway, each microservice would need its own authentication and rate-limiting logic. A well-configured API gateway reduces the attack surface and simplifies audit evidence because security policies are enforced centrally.