IDOR (Insecure Direct Object Reference) is a common web application vulnerability. It occurs when the application exposes internal object IDs (e.g., database IDs in URLs) and fails to perform server-side authorization checks. An attacker can then access other users’ data simply by changing the ID. IDOR is part of the OWASP Top 10 under the Broken Access Control category. The countermeasure is consistent server-side authorization on every resource access. Your ISMS secure development policy should name IDOR as a known pattern and include automated tests for it.