Implementing information security best practices on software lifecycle processes: The ISO/IEC 15504 Security Extension

•ISO/IEC 15504-5 processes can be adapted to deploy ISO/IEC 27002 controls on them.•Relations between ISO/IEC 15504-5 and ISO/IEC 27002 security controls are analysed.•From these relations, the ISO/IEC 15504 Security Extension has been developed.•The Design Science Research paradigm has been followed during its development.•The ISO/IEC 15504 Security Extension has been validated in industry.

The ISO/IEC 15504 international standard can be aligned with the ISO/IEC 27000 information security management framework. During the research conducted all the existing relations between ISO/IEC 15504-5 software development base practices and ISO/IEC 27002 security controls have been analysed and the ISO/IEC 15504 Security Extension has been developed. This extension details the changes that software companies should make in the software lifecycle processes for the successful implementation of the related security controls. To attain our research objectives, we evaluate the ISO/IEC 15504 Security Extension through case studies in a sample of software development organizations. This study follows the design science research paradigm that is based on constructive research.