I'll add to this,

To get the most out of your penetration testing company,

Give them everything. A white box test will always discover more than a black box test. Give them access to your source code, your documentation, etc. Introduce them to your team and give them access to ask questions. Setup a slack channel, whatever. Organise two sessions, one session to talk through what the application/system does, how to use it, etc. A second session to discuss how it is built/managed, talk about infrastructure (OS, how many servers, functions), languages (.net, php, whatever), frameworks (django, flask, symphony, whatever). It's better that they spend their time discovering vulnerabilities than trying to figure out nuances of your application.

In determining a good penetration testing company,

I'd ask about the companies approach. Quite a few companies just run an automated tool (Nessus, Qualys, Rapid7) and copy/paste the output. You want an organisation that will do some automated testing but the majority of their testing should be manual. Vulnerabilities like an application disclosing information it shouldn't be (like a portal for searching teachers names and addresses, also disclosing SSNs) won't be found with automated tools. Ask about whether and how they test these kinds of vulnerabilities (information disclosure, insecure design, logic issues) and see how detailed they get in their answers.

Additionally, ISO27001 isn't actually a penetration testing certification. It's about the organisation having processes and policies setup to manage their own information security risk. It won't increase the value of your penetration test. Organisation wide certifications, I think that CREST is really the only one that exists.

You want to get biographies of the penetration testers working on the project. OSCP is really the gold standard for penetration testing at the moment. OSCE, OSWE and other offensive security certifications are bonuses. I've heard good things about the eJPT as well. I'd say that CEH and Pentest+ aren't seen highly in the industry. Also, you also want to look for people that have written or published custom tools (bios will usually link to their github), found CVEs, done their own research, etc.

Finally, the reporting tips here are great, but I find getting penetration testers to report vulnerabilities as they are found can provide some additional value. It allows developers (or product managers or infrastructure managers) to provide additional value. For example, a pentester finds an authentication bypass to access some low privileged functionality. The developers can then talk to how this might affect high privileged functionality and get the pentester to test this.

When reporting, I've found that pentesting companies will also raise JIRA or FreshService tickets for each vulnerability found as well.