A vulnerability assessment is often an ongoing exercise that is repeated at regular intervals. However, for a given time period, a vulnerability assessment does have a specific start point and an endpoint irrespective of what type of test is performed. Thus, in order to ensure a successful vulnerability assessment, a detailed plan is necessary. The plan can have several elements as follows:

• Overview: This section provides a high-level orientation for the test plan.
• Purpose: This section states the overall purpose and intent of conducting the test. There may be some regulatory requirements or any explicit requirement from the customer.
• Applicable laws and regulations: This section lists all the applicable laws and regulations with respect to the test being planned. These may include local as well as international laws.
• Applicable standards and guidelines: This section lists all the applicable standards and guidelines, if any, with respect to the test being planned. For example, in the case of web application vulnerability assessment, standards such as OWASP may be followed.
• Scope: Scope is an important section of the plan as it essentially lists the systems that will undergo the testing. An improper scope could seriously impact the test deliverable going forward. The scope must be outlined in detail, including hosts and IP addresses of target systems, web applications, and databases if any, and the privileges that will be used for testing.
• Assumptions: This section mainly outlines that the prerequisites for the test be available in a timely manner to the VA tester. This will ensure that there won't be any delays due to operational issues. This could also include the fact that the systems under scope won't undergo major upgrades or changes during the test.
• Methodology: This section relates to the type of methodology that will be adopted for the test. It could be a black box, gray box, or white box depending on the organization's requirements.

• Test plan: This section details who will be performing the test, the daily schedule, detailed tasks, and contact information.
• Rules of engagement: This section lists exclusive terms and conditions that need to be followed during the test. For example, an organization may wish to exclude a certain set of systems from automated scanning. Such explicit conditions and requirements can be put forward in rules of engagement.
• Stakeholder communication: This section lists all the stakeholders that will be involved throughout the test process. It is extremely important to keep all the stakeholders updated about the progress of the test in a timely manner. The stakeholders to be included must be approved by senior management.
• Liabilities: This section highlights the liabilities of any action or event that may occur during the test which could possibly have an adverse impact on the business operations. The liabilities are on both sides, that is, the organization and the VA tester.
• Authorized approvals and signatures: Once all the preceding sections are carefully drafted and agreed upon, it's necessary that the plan gets signed by the relevant authority.

A comprehensive test plan is also referred to as the Statement of Work (SoW).