By Dr. Rumaizi bin Ahmad
Chairman of the Muslim Scholars Association of Malaysia, Selangor Chapter (PUMSel), a Certified Preacher (Penceramah Bertauliah) under the Selangor Islamic Religious Department (JAIS), a Syarie Lawyer, and holds a Doctorate in Business Administration (DBA)
As I was doing my Masters thesis on cyber security for Islamic organisations, I realised that the issues we are facing today are not just technical and that the challenges we are facing are challenges to the amānah that Allah has placed on us as those who have a responsibility in these institutions. It is here that the relevance of Maqāṣid al-Sharīʿah is not only highlighted but also demonstrated to be essential as a methodological framework.
This article is based on two sources that I have found to dovetail into one another in remarkable coherence; first the Maqāṣid based Corporate Cybersecurity Framework (MCCF) I developed in my Master’s thesis and second the intellectual vision that is presented by Professor Jasser Auda in Re-envisioning Islamic Scholarship: Maqāṣid Methodology as a New Approach (Claritas Books, 2021), a foundational text for the Advance Certificate in Maqāṣid that I am currently completing.
What Is the Real Problem?
As the Chairman of the Muslim Scholars Association of Malaysia, Selangor Chapter (Persatuan Ulama Malaysia Cawangan Selangor — PUMSel), I have sensitive data that includes financial data, religious publications, membership registration and constitutional documents, all of which are managed digitally. However, what is evident from PUMSel’s Digital Strategic Plan 2026-2028 is that none of the committee members have cybersecurity skills.
It’s not just a lack of IT skill. It is a deficiency in amānah. Yet, however, apart from the technical aspect there is a much bigger issue with how we, as Islamic scholars and organisational leaders, tackle the contemporary issues. In the book mentioned above, Jasser Auda lists five basic flaws in current Islamic studies: taqlīd (imitation), tajzīʾ (partialism), tabrīr (apologism), tanāquḍ (contradiction) and tafkīk (deconstructionism). I would like to observe with this diagnostic lens the current state of Islamic organisations in the way they are dealing with — or mishandling — their cybersecurity duties.
Tajzīʾ and Tabrīr: Two Ailments That Must Be Addressed
I find the idea of tajzīʾ (the tendency to look at something in bits and pieces without seeing the big picture) to be an almost perfect description of the approach most Islamic organisations take to cybersecurity. They install anti-virus software, maybe they require more stringent passwords, but there is no overarching framework that provides meaning and direction to these discrete steps.
Tajzīʾ in digital governance is: We secure our email accounts but not our cloud storage, we secure our organisational bank account but not how we treat data privacy of our members, we worry about being hacked but we don’t build a culture of murāqabah in our teams. There’s also tabrīr — apologism — the tendency to justify what is and to avoid an honest assessment of weaknesses and the need to change. The tabrīr surfaces when Islamic organisational leaders say: “We are just a small NGO — who would bother to hack us?” or “Insha’Allah, Allah will protect us.” This is not tawakkul. It’s piety in the guise of negligence. The Maqāṣid Methodology is exactly conceived to address these limitations by three orientations: future orientation, critical orientation and comprehensive orientation, argues Auda. Such three orientations are the ones that are required to establish a credible and principled framework for digital governance in Islamic institutions.
The MCCF: From Concept to Sharīʿah Commitment
In my thesis, I developed the Maqāṣid-based Corporate Cybersecurity Framework (MCCF), which systematically maps the five Ḍarūriyyāt al-Khams — the Five Essential Objectives of Islamic Law — onto the principal domains of corporate cybersecurity:
Ḥifẓ al-Dīn: protection of religion — in the corporate environment equates to the protection of the integrity of the organisation, the ethical management of data and the preservation of the organisation’s reputation in line with Sharīʿah. If the data of the members of PUMSel is lost, not only does it lose information, but also the credibility of the ʿulamāʾ institution as a trusted institution in the custody of religious knowledge is also lost. This is an attack straight on Ḥifẓ al-Dīn.
Ḥifẓ al-Nafs — protection of life — is business continuity making sure that the programmes and services that communities rely on are not disrupted by cyber incidents. The digital operations are a lifeline for PUMSel’s many community activities, includīng Jelajah Masjid, Tafaqquh Fiddīn, Ziarah Dakwah and Akademi PUMSel. The threat of Ḥifẓ al-Nafs in its institutional sense is an attack by a ransomware on the access to the cloud repositories of the organisation.
Ḥifẓ al-ʿAql — protection of the intellect — is information integrity and awareness of information security. Auda states that the true meaning of fiqh is “a deep understanding in all the branches of knowledge.” Security Awareness Training is thus not just an IT program, but an attempt to maintain the rational agency and cognitive integrity of each individual in the organization.
Ḥifẓ al-Nasl — protection of lineage — is manifested today in the protection of personal identity and privacy in the digital realm. Member registrations, the personal and professional data of Islamic scholars, the information of families, etc, all of these are amānah, which comes under the category of Ḥifẓ al-Nasl. A direct violation of this objective is digital identity theft.
Ḥifẓ al-Māl — protection of wealth — Financial fraud, bank account compromise and manipulation of digital donation platforms are among the threats that require a response, not only in terms of technical risk management, but also as a Sharīʿah duty.
Why the Maqāṣid Methodology Is More Than Symbolic Mapping
A common deficiency in traditional efforts to use Maqāṣid in the modern context is that they are superficial, merely “mapping” Islamic terminology on existing secular practices without changing the methodological foundations. This is, ironically, academic form of tajzīʾ.
Auda makes a good distinction between “methodology” and “framework.” A methodology is a set of principles that direct the way to solve a problem. A framework is the analytical tool that is the product of the methodology. He is of the opinion that the Maqāṣid Methodology starts with a purpose that is motivated by one of the objectives of Islam and then goes through Cycles of Reflection on the Quran and Sunnah to arrive at a complete analytical framework that is not borrowed from secular paradigms, rather it is based on revelation.
If we apply this to the MCCF, it should be the other way around – don’t start with “How do we configure a firewall?” The proper question to ask is, “What is it that we are to protect, why should Sharīʿah protect it, and what in the real world does it mean to protect it?” It is only from those answers that we then choose the right technical instruments.
The animating principle of the MCCF is jalb al-maṣāliḥ wa darʾ al-mafāsid — the promotion of benefit and the prevention of harm. This aligns directly with Auda’s critical orientation: we cannot be content with defendīng the status quo, but must continuously evaluate our present reality against the objectives of the Revelation, and act accordīngly.
Murāqabah as the Core of a Security Culture
Perhaps the greatest gift the Maqāṣid approach has to offer cybersecurity is culture. The idea of murāqabah means that Allah is always watching. It is a motivational underpinning for security-conscious behavior that no compliance policy can duplicate. The committee member who knows that he has broken the amānah of Allah by clicking a phishing link or by taking a weak password will take care of that in a different way from someone who only fears a reprimand from management. This is what Auda is saying when he talks of the comprehensive orientation of the Maqāṣid Methodology, that Maqāṣid is not just an analytical tool, but it also changes the way we live our responsibilities in all aspects of life including our digital lives. This understanding is the basis of the Digital Amanah Programme that was proposed in the MCCF. Cybersecurity isn’t reserved for IT professionals. It is the obligation of all mukallafīn who have a digital trust in an Islamic organisation.
The Maṣāliḥ Hierarchy and Security Control Prioritisation
One of the practical advantages of the Maqāṣid framework is that it provides a principled and rational system for prioritising limited resources. As with most Islamic NGOs, the finances of PUMSel are limited. If the budget is small, how do you know what to focus on when it comes to digital security training? The answer is to be found in the three-tiered hierarchy of the maṣāliḥ.
Multi-Factor Authentication (MFA), the 3-2-1 data backup strategy and a documented Incident Response Plan are all examples of Ḍarūriyyāt-level controls, which are controls that if they were not in place, the entire system would fail catastrophically. These are non-negotiable minimum obligations that are not to be excused.
Ḥājiyyāt-level controls, which are not necessarily immediately catastrophic but rather prevent significant harm, include phishing awareness training, periodic vulnerability assessments and regulatory compliance management. These are next priority as resources allow.
Taḥsīniyyāt-level controls are higher level threat intelligence solutions, AI-driven behavior analytics, comprehensive Zero Trust Architecture, and other aspirations that are longer-term and can be implemented in a phased and planned manner.
This helps the leaders of Islamic organisations to make decisions on resources that are not only sound but also Sharīʿah-compliant, and not merely because of the latest technology craze.
Conclusion: Re-envisioning Islamic Scholarship in the Digital Age
Auda concludes his elaboration of the Maqāṣid Methodology with a vision that has real power: that this project is to revitalise the original and far reaching notions of fiqh, fuqahāʾ, dīn and āyāt in the present day. The great scholars of the Islamic civilisation, such as Ibn Rushd, al-Kindi, al-Khawarizmi and Ibn al-Haytham, did not distinguish between religious knowledge and scientific inquiry. They were fuqahāʾ in the truest sense: scholars of profound knowledge in all the fields of knowledge and their scientific investigations were acts of reflection on the signs (āyāt) of Allah.
In the digital era, it is the obligation of Islamic scholars and organisational leaders to regain that breadth. The field of cybersecurity is not unfamiliar to the religious field, but is a dimension of the responsibility of ḥifẓ that Allah has given us as His stewards on earth. The lack of cybersecurity competency among the leadership of PUMSel currently is a symptom of the broader situation in the Muslim world. It’s also a chance, though. Each measure taken to ensure digital governance is ethical and secure, whether it’s enabling MFA for organisational accounts or creating a Digital Governance Policy based on the principles of amānah and murāqabah, is a manifestation of the iṣlāḥ to which Auda and the Maqāṣid tradition summons us.
The digital amānah is real and present. The Maqāṣid Methodology provides us with the motivation, but also with the methodological rigour to fulfil it.
Key References
Auda, Dr Jasser. (2021). Re-envisioning Islamic Scholarship: Maqāṣid Methodology as a New Approach. Claritas Books.
Al-Raysuni,Dr Ahmad. (2016). Madkhal ila Maqāṣid al-Sharīʿah (4th ed.). Dar al-Kalimah.
Al-Shatibi, Ibrahim Ibn Musa. (1997). Al-Muwāfaqāt fi Usul al-Sharīʿah (Vol. 2). Dar Ibn Affan.
Ibn ‘Ashur, Muhammad Al-Tahir (2006). Maqāṣid al-Sharīʿah al-Islāmiyyah. Dar al-Nafā’is.
Persatuan Ulama Malaysia Cawangan Selangor. (2025). Digital Strategic Management Plan PUMSel 2026–2028.