Rate limiting restricts how many requests a client may send to a service within a defined time window. When the limit is exceeded, the server typically responds with HTTP 429 (Too Many Requests). This protects APIs and web applications against brute-force attacks, credential stuffing, and accidental overload. Common algorithms include Token Bucket and Sliding Window. In an ISMS context, rate limiting is a technical control for availability and access security. Make sure the limits are tuned so that legitimate users are not affected.