The SANS Internet Storm Center shares 3 key focal points to get best value from Network Vulnerability assessments (1) Vulneratibility scans (2) Network Peneration Testing (3) Red Team Testing … The SANS ISC itself offers an EXCELLENT knowledge base for these activities

https://isc.sans.edu/forums/diary/Getting+proper+value+out+of+security+assessments/25004/

https://isc.sans.edu

When purchasing (or performing) a security assessment, knowing exactly what you want (and what you provide) is very important. With a myriad of various engagements, it can be challenging in deciding on what is best for your organization. From technical point of view, I generally categorize security assessments into the following three categories: vulnerability scanning (assessments), penetration tests and red team exercises. Deciding what you want to perform/purchase should go in exactly that order, and depend on your organization’s security maturity level. Let’s see what each of these is about.