Cyber Security Procurement Guide Australia and New Zealand

Procuring Trusted Cyber Security Services

A practical guide for organisations in Australia and New Zealand

Choosing the right cyber security provider is a critical decision for organisations across Australia and New Zealand seeking to strengthen cyber resilience, reduce risk, and achieve effective security outcomes.

Developed by CREST International, this practical guide provides regionally relevant guidance to help organisations evaluate and select trusted providers of cyber security services, including penetration testing, red teaming, threat intelligence, incident response, and Security Operations Centre (SOC) services.

While tailored for Australia and New Zealand, the principles and approaches outlined are globally applicable and can support organisations in any market.

Download the guide to learn how independent accreditation and professional certification can support better procurement decisions and improve supplier assurance.

Why download this guide?

Cyber security services can be complex to evaluate, and selecting the wrong provider can introduce operational, regulatory, and reputational risks, particularly in highly regulated environments such as those in Australia and New Zealand.

This guide provides practical, actionable advice on:

Cyber security procurement best practices
Evaluating cyber security suppliers and service providers
Understanding the value of independent accreditation
Assessing provider capability, governance, and professional competence
Reducing procurement risk through supplier assurance
Recommended RFT and RFP wording aligned to regional expectations
Practical supplier evaluation checklists

Who is this guide for?

This guide is designed for organisations operating across Australia and New Zealand, including:

Procurement professionals
CISOs and cyber security leaders
Risk and compliance teams
Government (federal/central, state, and local)
Critical infrastructure operators
Financial services organisations
Enterprise security teams
Boards and executive decision-makers

It is also relevant for organisations globally looking to strengthen their cyber security procurement practices.

Why CREST International?

CREST International is a globally recognised not-for-profit accreditation and certification body for the cyber security industry.

CREST International accredited companies are independently assessed against recognised standards for governance, service delivery, quality assurance, and operational capability.

CREST certifications provide assurance that cyber security professionals have demonstrated relevant knowledge and technical competence.

By engaging CREST International accredited providers, organisations in Australia and New Zealand, and globally can strengthen supplier assurance, support procurement due diligence, and improve confidence in cyber security outcomes.

Find a CREST International accredited provider

Search the CREST Marketplace to find accredited providers of penetration testing, red teaming, threat intelligence, incident response, and Security Operations Centre (SOC) services.

Search the CREST Marketplace

Useful links for the CREST (International) website

CREST Accreditation Standards
CREST Certifications and Exams
CREST Member Marketplace
CREST Australasia Council