Effective and rational management of a company cannot take place without the use of information technologies. Additionally, according to specific security requirements to protect the IT system against different threats, the development of a security system is significant for the companies and their clients and satisfactory common cooperation. The BPMN (Business Process Model and Notation) can be used for this purpose; however, the basic version of BPMN and its current extensions do not support the service of security threats. For this reason, we propose to extend the BPMN to be possible to model the chosen security issues coming from company business processes. The paper deals with the selected aspects of security requirements modeling in terms of emerging threats on the example of existing extensions of business process modeling language and the proposition of BPMN extension for chosen security issues together with the definition of information security policy.