Becoming a CREST Approved organisation

In order to become CREST Approved, an organisation must provide services and products to or in the cyber and information security industry in Australia or New Zealand, and meet the criteria determined by the Board of CREST Australia New Zealand Ltd from time to time, which include:

  • ascribing to the CREST Australia New Zealand Ltd Constitution, which also confers rights and responsibilities in relation to the governance and functioning of CREST Australia New Zealand Ltd
  • completing a CREST Membership Application Form and providing related supporting documentation
  • consenting to be bound by the CREST Code of Conduct
  • an annual audit of policies and procedures relating to security testing

Most importantly, organisations seeking to become CREST Approved must have, or be seeking to have, staff certified in one or more CREST certifications. It is acknowledged that member organisations may not always have staff who are certified. Upon application, an organisation without CREST certified staff, will have a six month grace period for staff to pass appropriate CREST certifications, or to employ CREST certified staff. Likewise, if a member organisation loses their CREST certified staff, they have a six month grace period to hire or certify new staff, prior to having their membership suspended.

Further information can be found in the CREST Australia New Zealand Membership Policy and documentation can be obtained by contacting CREST Australia New Zealand at