What must a security assessor do prior starting an assessment?

Prior to any security assessment, have the PM/tech lead complete the scoping questionnaire. This will identify all in-scope and out-of-scope technologies and components and will allow the security engineer to estimate the level of effort to complete security testing. The in-scope items in the questionnaire will be reflected in the security test plan and confirmed by the PM/tech lead prior to security testing.