OpenSkillIndex← back to search
claude-codesecurity

Claude-skill-registry ciso-assistant-bootstrap

install
source · Clone the upstream repo
git clone https://github.com/majiayu000/claude-skill-registry
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/majiayu000/claude-skill-registry "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/data/ciso-assistant-bootstrap" ~/.claude/skills/majiayu000-claude-skill-registry-ciso-assistant-bootstrap && rm -rf "$T"
manifest: skills/data/ciso-assistant-bootstrap/SKILL.md
tags
#ciso#security#risk-management#compliance#setup#onboarding
source content

CISO Assistant Bootstrap

Guide users through CISO Assistant initial setup using MCP server tools.

Prerequisites

Before starting:

  1. Verify MCP server connectivity - Check that 

    ciso-assistant
    MCP server is available in your tools. Test with:

    get_folders()  # Should return a list of folders

  2. If MCP tools are not available:

    • Ask user to verify MCP server is configured in their Claude Code settings
    • Check 
      .mcp.json
      or MCP configuration includes 
      ciso-assistant
      server
    • Ensure 
      API_URL
      and 
      TOKEN
      environment variables are set
    • As a last resort, fall back to direct API calls (see Fallback section)

  3. Backend must be running - CISO Assistant backend at the configured 

    API_URL

Bootstrap Flow

Always use MCP tools as the primary method. They provide:

  • Automatic name-to-ID resolution (no need to track UUIDs)
  • Better error handling with guidance
  • Consistent response formatting

1. Gather Information

Ask the user about:

Organization Structure

  • Domain name(s) and hierarchy (e.g., "IT Security", "Compliance", "Operations")
  • Perimeter(s) for each domain (assessment scopes)

Focus Area

  • Compliance-focused (framework audits)
  • Risk-focused (risk assessments)
  • Both

Industry (for framework recommendations)

Risk Assessment Type (if risk-focused or both)

  • Qualitative (matrix-based): most common approach, uses probability/impact scales (3x3, 4x4, 5x5)
  • Quantitative: advanced monetary modeling with distributions, Monte Carlo simulations

Assets

  • Primary assets (PR): core business assets (data, applications, processes)
  • Supporting assets (SP): infrastructure supporting primary assets

Third Parties (if applicable)

  • Critical vendors/suppliers (entities)
  • Solutions they provide
  • Criticality level (0-4)

2. Create Resources via MCP (Order Matters)

Execute MCP tools in this order:

1. create_folder(name, description)
   └─ 2. create_perimeter(name, description, folder)
         └─ 3. create_asset(name, description, asset_type, folder)
         └─ 4. import_stored_library(library_urn)
         └─ 5a. create_risk_assessment(name, risk_matrix, perimeter)
         └─ 5b. create_compliance_assessment(name, framework, perimeter)
         └─ 6. create_entity(name, folder, ...)
               └─ 7. create_solution(name, provider_entity, criticality, assets)

Note: MCP tools accept names directly (e.g., 

folder="My Domain"
) - no need to look up IDs first.

3. Key MCP Tools

Organization:

  • create_folder(name, description, parent_folder)
    - Create domain
  • create_perimeter(name, description, folder)
    - Create assessment scope

Assets:

  • create_asset(name, description, asset_type, folder)
    - asset_type: "PR" or "SP"

Frameworks:

  • get_stored_libraries(object_type="framework")
    - List available frameworks
  • import_stored_library(library_urn)
    - Load framework (e.g., "urn:intuitem:risk:library:iso27001-2022")

Risk Assessment (Qualitative):

  • get_risk_matrices()
    - List available matrices
  • create_risk_assessment(name, risk_matrix, perimeter)
    - Create assessment

Risk Assessment (Quantitative):

  • create_quantitative_risk_study(name, distribution_model, loss_threshold, ...)
    - Create study

Compliance:

  • create_compliance_assessment(name, framework, perimeter)
    - Create audit

TPRM:

  • create_entity(name, folder, description, country, currency, default_dependency, default_maturity, default_trust)
    - Create vendor
  • create_solution(name, provider_entity, criticality, assets)
    - Create service
  • create_representative(email, entity, first_name, last_name, role)
    - Create contact

4. Example Bootstrap Session

User: "I want to set up CISO Assistant for my healthcare startup"

1. Verify MCP connectivity:
   get_folders()  # Confirm MCP server responds

2. Ask clarifying questions:
   - "What domains do you need? (e.g., IT, Compliance, Operations)"
   - "Are you focused on compliance, risk management, or both?"
   - "Do you prefer qualitative (matrix-based) or quantitative risk assessment?"
   - "What are your critical assets? (applications, databases, etc.)"
   - "Do you have critical third-party vendors to track?"

3. Based on healthcare industry, recommend:
   - HIPAA-related frameworks
   - ISO 27001:2022
   - NIST CSF 2.0

4. Create resources via MCP tools:
   create_folder("HealthTech Corp", "Main organization domain")
   create_perimeter("Production Environment", "Production systems scope", folder="HealthTech Corp")
   create_asset("Patient Portal", "Main patient-facing application", "PR", folder="HealthTech Corp")
   create_asset("AWS Infrastructure", "Cloud hosting", "SP", folder="HealthTech Corp")
   import_stored_library("urn:intuitem:risk:library:iso27001-2022")
   create_compliance_assessment("ISO 27001 Audit 2025", framework="ISO 27001:2022", perimeter="Production Environment")
   create_entity("AWS", folder="HealthTech Corp", description="Cloud provider")
   create_solution("Cloud Hosting", provider_entity="AWS", criticality=3, assets=["AWS Infrastructure"])

Risk Matrix Selection

For qualitative assessments, help user choose:

MatrixUse Case
3x3Simple, quick assessments
4x4Balanced granularity
5x5Detailed, enterprise-grade

Use 

get_risk_matrices()
to list available options.

Validation

After setup, verify with MCP tools:

  • get_folders()
    - Confirm domains created
  • get_perimeters(folder)
    - Confirm scopes
  • get_assets(folder)
    - Confirm assets
  • get_loaded_libraries()
    - Confirm frameworks loaded
  • get_entities(folder)
    - Confirm third parties

Fallback: Direct API Calls

Only use if MCP tools are unavailable. Requires manual UUID tracking.

Read token from 

.mcp.json
or ask user for it, then:

# Create folder
curl -X POST "http://localhost:8000/api/folders/" \
  -H "Authorization: Token <TOKEN>" \
  -H "Content-Type: application/json" \
  -d '{"name": "My Domain", "description": "..."}'

# Create perimeter (requires folder UUID from previous response)
curl -X POST "http://localhost:8000/api/perimeters/" \
  -H "Authorization: Token <TOKEN>" \
  -H "Content-Type: application/json" \
  -d '{"name": "common", "folder": "<folder_uuid>"}'

# Similar pattern for other endpoints:
# POST /api/assets/
# POST /api/stored-libraries/<urn>/import/
# POST /api/risk-assessments/
# POST /api/compliance-assessments/
# POST /api/entities/
# POST /api/solutions/