Some certifications lay out specific requirements for pentesting. Many certifications say test annually. It would be wise to conduct penetration tests when: new network infrastructure or applications are added; significant upgrades or modifications are applied to infrastructure or applications; new office locations are established; security patches are applied; end user policies are modified. One thing to keep in mind if you use AWS or other cloud service, you probably need to get approval first and make sure that you don't violate your TOS by conducting penetration testing out of the blue.