Rules of engagement define, in a binding manner before a penetration test, which systems may be tested, which methods are permitted, and which escalation paths apply. They protect both the client and the testing team from legal risk. Typical contents include scope definition, testing window, permitted attack techniques, emergency contacts, and confidentiality agreements. You should commit the rules of engagement to writing and have them signed by both parties. In an ISMS they are documented as part of the audit and testing programme.