A WAF (Web Application Firewall) filters and monitors HTTP/HTTPS traffic between the internet and a web application. It detects and blocks common attacks such as SQL injection, cross-site scripting (XSS), and path traversal. In an ISMS, a WAF is a technical control for publicly accessible web applications. It complements secure coding practices but does not replace them. Common WAF solutions work rule-based (OWASP Core Rule Set) or use machine learning for anomaly detection.