Information systems security is important for the day-to-day operations of business process. The current business process modeling can’t describe all the factors that the security management concerns on. A tri-layer business process model is presented in this paper from agent layer, activity layer and asset layer. This tri-layer model, which is based on business process and is convenient for security requirements analysis, expresses the relationship between activities, agents and assets. The essence that information systems are used to support the business process to fulfill the organizational functions is expressed in this tri-layer model. Such elements as assets, personnel, business activities the security management cares about are included in this model, which forms the basis and communication platform of security management. Finally, the pragmatic value of this tri-layer model is validated through a case of security management project of a manufacturing enterprise in China.