CISO Assistant Bootstrap
Guide users through CISO Assistant initial setup using MCP server tools.
Prerequisites
Before starting:
-
Verify MCP server connectivity - Check that
ciso-assistantMCP server is available in your tools. Test with:get_folders() # Should return a list of folders -
If MCP tools are not available:
- Ask user to verify MCP server is configured in their Claude Code settings
- Check
.mcp.jsonor MCP configuration includesciso-assistantserver - Ensure
API_URLandTOKENenvironment variables are set - As a last resort, fall back to direct API calls (see Fallback section)
-
Backend must be running - CISO Assistant backend at the configured
API_URL
Bootstrap Flow
Always use MCP tools as the primary method. They provide:
- Automatic name-to-ID resolution (no need to track UUIDs)
- Better error handling with guidance
- Consistent response formatting
1. Gather Information
Ask the user about:
Organization Structure
- Domain name(s) and hierarchy (e.g., "IT Security", "Compliance", "Operations")
- Perimeter(s) for each domain (assessment scopes)
Focus Area
- Compliance-focused (framework audits)
- Risk-focused (risk assessments)
- Both
Industry (for framework recommendations)
- See references/frameworks-by-industry.md for mapping
Risk Assessment Type (if risk-focused or both)
- Qualitative (matrix-based): most common approach, uses probability/impact scales (3x3, 4x4, 5x5)
- Quantitative: advanced monetary modeling with distributions, Monte Carlo simulations
Assets
- Primary assets (PR): core business assets (data, applications, processes)
- Supporting assets (SP): infrastructure supporting primary assets
Third Parties (if applicable)
- Critical vendors/suppliers (entities)
- Solutions they provide
- Criticality level (0-4)
2. Create Resources via MCP (Order Matters)
Execute MCP tools in this order:
1. create_folder(name, description)
ββ 2. create_perimeter(name, description, folder)
ββ 3. create_asset(name, description, asset_type, folder)
ββ 4. import_stored_library(library_urn)
ββ 5a. create_risk_assessment(name, risk_matrix, perimeter)
ββ 5b. create_compliance_assessment(name, framework, perimeter)
ββ 6. create_entity(name, folder, ...)
ββ 7. create_solution(name, provider_entity, criticality, assets)
Note: MCP tools accept names directly (e.g., folder="My Domain") - no need to look up IDs first.
3. Key MCP Tools
Organization:
create_folder(name, description, parent_folder)- Create domaincreate_perimeter(name, description, folder)- Create assessment scope
Assets:
create_asset(name, description, asset_type, folder)- asset_type: "PR" or "SP"
Frameworks:
get_stored_libraries(object_type="framework")- List available frameworksimport_stored_library(library_urn)- Load framework (e.g., "urn:intuitem:risk:library:iso27001-2022")
Risk Assessment (Qualitative):
get_risk_matrices()- List available matricescreate_risk_assessment(name, risk_matrix, perimeter)- Create assessment
Risk Assessment (Quantitative):
create_quantitative_risk_study(name, distribution_model, loss_threshold, ...)- Create study
Compliance:
create_compliance_assessment(name, framework, perimeter)- Create audit
TPRM:
create_entity(name, folder, description, country, currency, default_dependency, default_maturity, default_trust)- Create vendorcreate_solution(name, provider_entity, criticality, assets)- Create servicecreate_representative(email, entity, first_name, last_name, role)- Create contact
4. Example Bootstrap Session
User: "I want to set up CISO Assistant for my healthcare startup"
1. Verify MCP connectivity:
get_folders() # Confirm MCP server responds
2. Ask clarifying questions:
- "What domains do you need? (e.g., IT, Compliance, Operations)"
- "Are you focused on compliance, risk management, or both?"
- "Do you prefer qualitative (matrix-based) or quantitative risk assessment?"
- "What are your critical assets? (applications, databases, etc.)"
- "Do you have critical third-party vendors to track?"
3. Based on healthcare industry, recommend:
- HIPAA-related frameworks
- ISO 27001:2022
- NIST CSF 2.0
4. Create resources via MCP tools:
create_folder("HealthTech Corp", "Main organization domain")
create_perimeter("Production Environment", "Production systems scope", folder="HealthTech Corp")
create_asset("Patient Portal", "Main patient-facing application", "PR", folder="HealthTech Corp")
create_asset("AWS Infrastructure", "Cloud hosting", "SP", folder="HealthTech Corp")
import_stored_library("urn:intuitem:risk:library:iso27001-2022")
create_compliance_assessment("ISO 27001 Audit 2025", framework="ISO 27001:2022", perimeter="Production Environment")
create_entity("AWS", folder="HealthTech Corp", description="Cloud provider")
create_solution("Cloud Hosting", provider_entity="AWS", criticality=3, assets=["AWS Infrastructure"])
Risk Matrix Selection
For qualitative assessments, help user choose:
| Matrix | Use Case |
|---|---|
| 3x3 | Simple, quick assessments |
| 4x4 | Balanced granularity |
| 5x5 | Detailed, enterprise-grade |
Use get_risk_matrices() to list available options.
Validation
After setup, verify with MCP tools:
get_folders()- Confirm domains createdget_perimeters(folder)- Confirm scopesget_assets(folder)- Confirm assetsget_loaded_libraries()- Confirm frameworks loadedget_entities(folder)- Confirm third parties
Fallback: Direct API Calls
Only use if MCP tools are unavailable. Requires manual UUID tracking.
Read token from .mcp.json or ask user for it, then:
# Create folder curl -X POST "http://localhost:8000/api/folders/" \ -H "Authorization: Token <TOKEN>" \ -H "Content-Type: application/json" \ -d '{"name": "My Domain", "description": "..."}' # Create perimeter (requires folder UUID from previous response) curl -X POST "http://localhost:8000/api/perimeters/" \ -H "Authorization: Token <TOKEN>" \ -H "Content-Type: application/json" \ -d '{"name": "common", "folder": "<folder_uuid>"}' # Similar pattern for other endpoints: # POST /api/assets/ # POST /api/stored-libraries/<urn>/import/ # POST /api/risk-assessments/ # POST /api/compliance-assessments/ # POST /api/entities/ # POST /api/solutions/