When you start with ISO 27001, the key to looking at this bewildering list of controls is not to see this as a todo list or an implementation plan, but as a checklist, asking yourself for each control: how are we doing this at the moment?

Because if you have a sensible approach to your information, your devices and the services you use, chances are you have actually implemented most of them, at least partially. Let's start with some low-hanging fruit:

- [ ] Examples of 'common' controls.
	- [ ] backups
	- [ ] cryptography
	- [ ] physical security
	- [ ] password protection