~2-page information security policy template on 'pentesting'.
 
Provided it is duly authorised and conducted competently by trustworthy professionals, testing the security of a computer network, system, device etc. by attempting to compromise the defences can increase assurance regarding the effectiveness of the security controls, prompting security improvements.  However, incompetent or inept penetration testing can be misleading and risky while unauthorised penetration testing is essentially hacking. 
 
This policy specifies the governance, management, authorisation and monitoring arrangements to maximise the business value and minimise the information risks associated with penetration testing.
 
If your organisation handles credit cards and hence falls within the remit of PCI-DSS, you may be required to undertake pentesting periodically. Likewise in government/defence. So, is it covered by policies, procedures and technical controls? Hint: 'trust' is a weak, fragile control.
 
Supplied as an MS Word document, readily customised for your organisation's specific situation.