Test Plan From Scratch

Write a lightweight but complete test plan for an Order Tracking feature release — covering scope, risk-based approach, entry/exit criteria, test types, test data, environments, responsibilities, and a reporting strategy that non-QA stakeholders can act on.

Role

Manual QA engineer

Difficulty

Intermediate

Time limit

90 min

Scenario

Your team is releasing an Order Tracking feature to production next week. The feature allows logged-in customers to view their order status (Placed, Processing, Shipped, Delivered, Cancelled), see a courier tracking number, and receive automated email notifications when an order's status changes. A third-party courier API provides real-time tracking data; your staging environment uses a mock courier API. Management wants a test plan reviewed and approved before QA testing begins. Write a lightweight test plan — comprehensive enough to give the team confidence, concise enough to be read and acted on in one sitting.

Requirements

1.Define scope (what is being tested) and out-of-scope (what is explicitly excluded) — at least three items in each
2.Write entry criteria (minimum three, all objective and binary) and exit criteria (minimum four, including a defect-threshold condition and a coverage-threshold condition)
3.Identify at least four test types relevant to this release (e.g. functional, regression, integration, exploratory, accessibility) and justify why each is included — do not list test types that are not applicable
4.Build a risk register with at least four risks, each with: description, likelihood (High/Medium/Low), impact (High/Medium/Low), and a one-sentence mitigation or contingency
5.Specify test data requirements: name the user types, order states, status-transition sequences, and notification triggers needed, and state how each will be created or sourced
6.Define an environment matrix: at least two environments (e.g. staging, pre-production) with a statement of which testing activities run in each
7.Include a responsibilities table: name the role accountable for each testing activity (at minimum: test execution, defect triage, accessibility audit, and release sign-off)
8.Define a reporting approach: where defects are logged, the reporting cadence, the metric(s) reported, and who provides release sign-off

Starter data

›Feature: Order Tracking — order statuses: Placed, Processing, Shipped, Delivered, Cancelled
›Tracking number: sourced from third-party courier API; displayed on the order detail page once status reaches 'Shipped'
›Email notifications: triggered on status transitions Placed→Processing, Processing→Shipped, Shipped→Delivered; no notification on Cancelled
›Integration: third-party courier API (production); staging environment uses an internal mock courier API configured to return predefined tracking numbers
›Constraints: no performance SLA is defined yet; mobile responsiveness required (design spec targets iOS Safari and Android Chrome); WCAG 2.1 AA accessibility compliance required
›Users: logged-in customers can view their own orders only; admin users can manually update order status via the back-office (separate team, separate release)
›Timeline: QA testing window is 5 working days; release is 2 days after QA sign-off

Expected deliverables

✓A complete test plan document with all required sections: scope, out-of-scope, test approach, test types with justification, risk register, test data specification, environment matrix, entry criteria, exit criteria, responsibilities table, and reporting approach
✓Scope and out-of-scope sections each containing at least three items
✓Entry criteria: at least three conditions, all stated as objective binary checks (pass/fail, not 'mostly ready')
✓Exit criteria: at least four conditions including one defect-threshold (e.g. zero open Critical/High defects) and one coverage-threshold (e.g. 100% of P1 test cases executed)
✓Risk register with at least four risks, each with likelihood, impact, and mitigation
✓Test data specification naming specific user types, order states, status-transition sequences, and email notification triggers
✓Environment matrix showing which testing activities happen in which environment
✓Responsibilities table with named roles for test execution, defect triage, accessibility audit, and release sign-off
✓Reporting approach defining cadence, format, metric(s), and sign-off owner

Evaluation rubric

Dimension	What reviewers look for
Completeness and structure	Does the plan cover all required sections? Could a new team member join mid-sprint and understand what needs to be tested, by whom, and under what conditions testing is considered complete? A plan missing entry/exit criteria or a responsibilities table is missing load-bearing structure — not optional details.
Risk-based scoping	Is the scope driven by risk rather than exhaustiveness? The courier API integration is the highest-risk dependency (third-party, new, single point of failure for tracking number display and notification delivery) and should receive proportionally more coverage than low-risk areas like the static order-status label. A plan that treats all features as equal effort regardless of risk is not risk-based — it is a feature list.
Clear entry and exit criteria	Are entry criteria objective and binary? 'Feature is mostly implemented' fails; 'Feature branch merged to staging and smoke test suite passes' passes. Do exit criteria include both a defect threshold (specific severity levels and counts) and a coverage threshold (percentage of test cases executed)? Exit criteria that read 'QA is satisfied' are untestable and cannot support a sign-off decision.
Realistic and justified approach	Is the plan achievable within the stated 5-day testing window? Are the test types justified by the feature's characteristics — not just a list of every possible test type regardless of relevance? For a UI feature with a third-party API dependency, functional, integration, regression, exploratory, and accessibility testing are justified. Performance and security testing may be justified with a brief rationale or explicitly deferred.
Stakeholder communication	Is the reporting approach clear enough that a non-QA stakeholder (PM, engineering lead) knows what to expect and when? Is the sign-off process explicit — naming both the sign-off owner and what constitutes a passing state? A plan that says 'defects will be logged in Jira' but does not specify a filter, label, or dashboard link is not actionable for a stakeholder checking release readiness.

Sample solution outline

›Scope: order status display for all five statuses (Placed/Processing/Shipped/Delivered/Cancelled), tracking number display on Shipped orders, email notification delivery on three status transitions, mobile-responsive layout on iOS Safari and Android Chrome, WCAG 2.1 AA compliance for all new UI elements
›Out of scope: back-office admin status update workflow (separate release), courier API performance under load (no SLA defined), new user registration and login flows (existing regression suite covers these), payment processing
›Entry criteria: (1) feature branch merged to staging and all CI checks green; (2) mock courier API configured and returning predefined tracking numbers for at least one order per status; (3) at least five test customer accounts and five test orders (one per status) created in staging; (4) smoke test suite (5 P1 cases) passes
›Exit criteria: (1) 100% of P1 test cases executed; (2) zero open Critical defects, zero open High defects not accepted as known issues with documented workarounds; (3) accessibility audit passed (WCAG 2.1 AA, no blocker findings); (4) PM sign-off received; (5) release smoke test passes in pre-production
›Test types: Functional (verify each status displays correctly, tracking number shows on Shipped, notifications fire on correct transitions); Integration (mock courier API returns tracking data correctly; notification service sends emails to correct addresses); Regression (existing order and user flows unaffected); Exploratory (risk-based 60-minute session on notification edge cases and status-transition sequences); Accessibility (WCAG 2.1 AA audit on new order detail page elements)
›Risks: (1) Courier API integration breaks in pre-prod (High/High) — contingency: confirm mock-to-live API parity checklist before pre-prod promotion; (2) Notification emails delivered late or not at all (High/High) — mitigation: test with real SMTP relay in staging, not just mock; (3) Order status not updating in real-time for users already on the page (Medium/Medium) — mitigation: test polling/websocket behaviour with 30s and 5min delays; (4) Mobile layout regression on iOS Safari (Low/Medium) — mitigation: run on 3 viewport widths (390px, 768px, 1024px) using BrowserStack
›Test data: 5 customer accounts (cust-a through cust-e), 1 order per status (order-placed, order-processing, order-shipped, order-delivered, order-cancelled), 1 order in transition (placed→processing during session to test notification), email inbox accessible for notification verification (e.g. Mailosaur or team inbox)
›Environments: Staging (mock courier API — full functional/regression/accessibility/exploratory test execution); Pre-production (real courier API — integration smoke test only, 5 P1 cases); Production (post-deploy smoke test — 3 happy-path cases)

Common mistakes

Listing every possible test type (unit, integration, regression, performance, security, accessibility, usability, localisation) regardless of relevance — a one-week UI feature release does not need a localisation plan; unjustified test types signal that the plan was generated from a template without critical thinking
Writing exit criteria that are subjective or untestable ('testing is complete when QA is satisfied', 'the feature is stable enough') — exit criteria must be binary and measurable so that any stakeholder can determine pass/fail without consulting QA
Ignoring the courier API integration risk — the third-party API is the highest-risk dependency in this feature, yet many plans focus only on the UI and omit an integration test strategy or a contingency for API downtime
Writing a test plan that only QA can follow — responsibilities, reporting, and sign-off must be written for the whole team; a PM or engineering lead should be able to read the plan and know exactly what they are accountable for
Leaving test data to chance — 'I'll create test data as needed' is not a plan; missing test data on day one of a 5-day testing window blocks the entire team and cannot be recovered without slipping the timeline
Treating entry criteria as optional or setting them so low they are always met — entry criteria protect QA from spending days testing a broken build; 'feature is mostly done' is not a binary check and cannot protect the team

Submission checklist

All required sections present in the document: scope, out-of-scope, test approach, test types with justification, risk register, test data, environments, entry criteria, exit criteria, responsibilities, reporting
Scope and out-of-scope each list at least three items
At least three entry criteria, all stated as objective binary checks
At least four exit criteria including one defect-threshold and one coverage-threshold condition
Risk register with at least four risks, each with likelihood, impact, and a one-sentence mitigation
Test data specification names specific user types, order states, status-transition sequences, and notification triggers
Environment matrix shows which activities run in which environment
Responsibilities table names roles for test execution, defect triage, accessibility audit, and release sign-off
Reporting approach states cadence, metric(s), defect log location, and sign-off owner

Extension ideas

+Add a test schedule section with milestone dates derived from a hypothetical sprint calendar (e.g. feature freeze Day 1, regression complete Day 3, sign-off Day 5) and map test activities to the timeline
+Convert your exit criteria into a concrete Jira saved-filter query or test-run dashboard and describe how you would share it as a daily status link with the PM
+Write a one-page test summary report as if you had just completed the 5-day testing window — what metrics, defect counts, and risk statements would you present at the release go/no-go meeting?