How to go about looking for a pen-tester

["Ershad Shafi Chowdhury" <iru () bol-online com>]

Dear all,

I have been reading with interest this list for a few weeks. Is there
anything special that a customer should look for when choosing a pen tester?
e.g., are there any certifications, associations, government agency that
guarantee the pen-tester won't use the information learned to harm the
network? Should the customer specify what is allowed and what is not
allowed, or give the pen-tester a free hand to do his work? how about
international agreements? Are there any websites recommending and rating
pen-testers? Basically, what should a client do protect himself when asking
a pen-tester to break in to his network.

Thanks for your answers and apologies in advance if this is entirely
unsuitable for the list. I am only asking because I have not seen this
discussed, so I am a bit unsure as to how appropriate the question is.

Regards,
Ershad.