GRCWatch
Sign inStart free trial

PR.AT-3: Third-Party Security Training

Third-party security breaches are a leading attack vector for SMBs. PR.AT-3 requires your suppliers, customers, and partners to understand their security responsibilities—turning external stakeholders into your first line of defense. Without this alignment, even strong internal controls collapse at your organization's edges.

What this means

This control ensures that all external stakeholders—including vendors, suppliers, customers, and partners—receive clear, documented security training tailored to their roles and access levels. The goal is to create shared accountability: third parties must understand what they're responsible for, what they can and cannot do, and the consequences of security lapses. This goes beyond one-time onboarding; it's about embedding security awareness into your supply chain relationships.

How to comply

  1. 1.Identify all third-party categories (vendors, suppliers, customers, integrators, outsourced service providers) and their access levels to your systems or data.
  2. 2.Create role-based training modules covering security expectations, acceptable use policies, data handling, and incident reporting procedures.
  3. 3.Deliver training before third parties gain access and refresh it annually or when roles change.
  4. 4.Document training completion with sign-off records tied to each third party and role.
  5. 5.Include specific security requirements in contracts and service agreements.
  6. 6.Monitor training effectiveness through quizzes, assessments, or attestations.
  7. 7.Escalate and retrain third parties who demonstrate non-compliance or security gaps.

Evidence auditors look for

  • Third-party training curriculum documents or learning management system records
  • Signed training acknowledgments and completion certificates from vendors and partners
  • Service agreements and contracts that reference security training requirements
  • Training delivery logs with attendance records, dates, and trainer names
  • Assessment scores or certification proof from third-party security training
  • Communication trails (emails, letters) confirming training assignments and deadlines
  • Annual training refresh schedules and completion reports

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates third-party training assignment and tracks completion in one dashboard, generating audit-ready evidence that documents all training acknowledgments and role-based curriculum delivery.

See how GRCWatch handles this control automatically

Start free trial

Related controls

PR.AT-1 (Security Awareness Training)PR.AT-2 (Security Awareness Training Content)PR.IP-2 (Insider Threats)PR.AC-1 (Access Control Policies)DE.AE-1 (Anomaly Detection)