Sorry to be a little late on this one. From my perspective, a test manager should be leading test activities. How your company defines these activities is the question. In most of the shops I worked, an SME would write the security test plan. In my opinion, any professional analyst could write this plan. This plan was part of the functional area as security was treated as both a functional and integrated area.
So, to answer your question, YES YES, a test plan must be written. Otherwise, how would the team know what has been tested? As far as who is in charge, well, it was the main test manager who was responsible for reporting to the director/team on the results of the overall test effort. I think it is always a good idea to get input from different disciplines when desiging and executing a test strategy. Whether that's security or performance or functional, it really doesn't matter. It is a TEAM after all.