Bootstrap CISO Assistant for new users by guiding them through initial setup. Use when: (1) User wants to set up CISO Assistant from scratch (2) User mentions "bootstrap", "initial setup", "getting started", or "onboarding" with CISO Assistant (3) User needs help creating their organizational structure, loading frameworks, or configuring risk assessments Covers: domains/folders, perimeters, industry-based framework selection, assets, risk assessment type (qualitative vs quantitative), third-party entities and solutions, and compliance vs risk focus.
Guide users through CISO Assistant initial setup using MCP server tools.
Before starting:
Verify MCP server connectivity - Check that ciso-assistant MCP server is available in your tools. Test with:
get_folders() # Should return a list of folders
If MCP tools are not available:
.mcp.json or MCP configuration includes ciso-assistant serverAPI_URL and TOKEN environment variables are setBackend must be running - CISO Assistant backend at the configured API_URL
Always use MCP tools as the primary method. They provide:
Ask the user about:
Organization Structure
Focus Area
Industry (for framework recommendations)
Risk Assessment Type (if risk-focused or both)
Assets
Third Parties (if applicable)
Execute MCP tools in this order:
1. create_folder(name, description)
└─ 2. create_perimeter(name, description, folder)
└─ 3. create_asset(name, description, asset_type, folder)
└─ 4. import_stored_library(library_urn)
└─ 5a. create_risk_assessment(name, risk_matrix, perimeter)
└─ 5b. create_compliance_assessment(name, framework, perimeter)
└─ 6. create_entity(name, folder, ...)
└─ 7. create_solution(name, provider_entity, criticality, assets)
Note: MCP tools accept names directly (e.g., folder="My Domain") - no need to look up IDs first.
Organization:
create_folder(name, description, parent_folder) - Create domaincreate_perimeter(name, description, folder) - Create assessment scopeAssets:
create_asset(name, description, asset_type, folder) - asset_type: "PR" or "SP"Frameworks:
get_stored_libraries(object_type="framework") - List available frameworksimport_stored_library(library_urn) - Load framework (e.g., "urn:intuitem:risk:library:iso27001-2022")Risk Assessment (Qualitative):
get_risk_matrices() - List available matricescreate_risk_assessment(name, risk_matrix, perimeter) - Create assessmentRisk Assessment (Quantitative):
create_quantitative_risk_study(name, distribution_model, loss_threshold, ...) - Create studyCompliance:
create_compliance_assessment(name, framework, perimeter) - Create auditTPRM:
create_entity(name, folder, description, country, currency, default_dependency, default_maturity, default_trust) - Create vendorcreate_solution(name, provider_entity, criticality, assets) - Create servicecreate_representative(email, entity, first_name, last_name, role) - Create contactUser: "I want to set up CISO Assistant for my healthcare startup"
1. Verify MCP connectivity:
get_folders() # Confirm MCP server responds
2. Ask clarifying questions:
- "What domains do you need? (e.g., IT, Compliance, Operations)"
- "Are you focused on compliance, risk management, or both?"
- "Do you prefer qualitative (matrix-based) or quantitative risk assessment?"
- "What are your critical assets? (applications, databases, etc.)"
- "Do you have critical third-party vendors to track?"
3. Based on healthcare industry, recommend:
- HIPAA-related frameworks
- ISO 27001:2022
- NIST CSF 2.0
4. Create resources via MCP tools:
create_folder("HealthTech Corp", "Main organization domain")
create_perimeter("Production Environment", "Production systems scope", folder="HealthTech Corp")
create_asset("Patient Portal", "Main patient-facing application", "PR", folder="HealthTech Corp")
create_asset("AWS Infrastructure", "Cloud hosting", "SP", folder="HealthTech Corp")
import_stored_library("urn:intuitem:risk:library:iso27001-2022")
create_compliance_assessment("ISO 27001 Audit 2025", framework="ISO 27001:2022", perimeter="Production Environment")
create_entity("AWS", folder="HealthTech Corp", description="Cloud provider")
create_solution("Cloud Hosting", provider_entity="AWS", criticality=3, assets=["AWS Infrastructure"])
For qualitative assessments, help user choose:
| Matrix | Use Case |
|---|---|
| 3x3 | Simple, quick assessments |
| 4x4 | Balanced granularity |
| 5x5 | Detailed, enterprise-grade |
Use get_risk_matrices() to list available options.
After setup, verify with MCP tools:
get_folders() - Confirm domains createdget_perimeters(folder) - Confirm scopesget_assets(folder) - Confirm assetsget_loaded_libraries() - Confirm frameworks loadedget_entities(folder) - Confirm third partiesOnly use if MCP tools are unavailable. Requires manual UUID tracking.
Read token from .mcp.json or ask user for it, then:
# Create folder
curl -X POST "http://localhost:8000/api/folders/" \
-H "Authorization: Token <TOKEN>" \
-H "Content-Type: application/json" \
-d '{"name": "My Domain", "description": "..."}'
# Create perimeter (requires folder UUID from previous response)
curl -X POST "http://localhost:8000/api/perimeters/" \
-H "Authorization: Token <TOKEN>" \
-H "Content-Type: application/json" \
-d '{"name": "common", "folder": "<folder_uuid>"}'
# Similar pattern for other endpoints:
# POST /api/assets/
# POST /api/stored-libraries/<urn>/import/
# POST /api/risk-assessments/
# POST /api/compliance-assessments/
# POST /api/entities/
# POST /api/solutions/