CertPrepNow
MicrosoftSC-730Updated 2026-06-13

SC-730 Study Guide

Everything you need to pass the Microsoft Certified: Cybersecurity Business Professional exam. Structured study plans, key services, common traps, and practice questions.

You Can Pass This Exam For Free

The SC-730 exam is very passable with free resources alone. Because it targets non-technical business professionals, the content is based on universally available cybersecurity awareness material:

  • Microsoft official SC-730 study guide on Microsoft Learn (free)
  • Microsoft Learn cybersecurity awareness training modules (free)
  • CISA Cybersecurity Awareness resources (free)
  • NIST Cybersecurity Framework overview documentation (free)
  • Your organization's own security awareness training materials (free)
  • 500+ free practice questions on this site

This is a fundamentals-level exam for business users. No Microsoft product knowledge is required. If you regularly complete your employer's annual security awareness training, you already know a significant portion of the material.

Choose Your Study Path

You have minimal exposure to cybersecurity concepts. You use a computer for work but have never thought deeply about security risks or best practices.

Week 1Learn fundamental cybersecurity terms: vulnerability, threat, risk, exploit, encryption, malware, ransomware. Understand the cybersecurity shared responsibility model and why every employee plays a role
Week 2Study common threats in depth: phishing (email, SMS, voice, QR code), social engineering techniques (pretexting, baiting, tailgating), and how to identify each. Learn what deepfakes are and why they matter
Week 3Learn security best practices: strong passwords, password managers, multifactor authentication, software updates, securing remote workspaces, and safe public Wi-Fi usage
Week 4Study data protection: sensitivity labels (public, internal, confidential, highly confidential), rights management, proper data handling, and what types of data should never be shared with AI tools
Week 5Learn incident reporting and response: when to report, what information to include, which channels to use, and immediate steps during a data breach (stop sharing, disconnect, notify IT)
Week 6Take practice questions across all domains, review explanations carefully. Focus on Domain 2 (risks and threats) which is the largest portion at 30-35% of the exam

Exam Overview

Format

58 questions, 60 minutes of actual exam time (90-minute appointment includes NDA, survey, and feedback). Multiple choice and scenario-based questions from a business user perspective. Note: the exam is currently in beta with general availability expected in July 2026.

Scoring

Scaled score 100-1000. Passing: 700. No penalty for wrong answers — always answer every question.

Domains & Weights

  • Understand Cybersecurity Concepts27%
  • Understand Cybersecurity Risks and Threats33%
  • Apply Basic Security Practices to Protect the Organization28%
  • Report and Respond to Security Incidents12%

Registration

$99 USD. Available at Pearson VUE testing centers or online proctored from home. Exam fee is $99 USD.

Topic Priority Table

Not all topics are tested equally. Focus your study time on Tier 1 first, then Tier 2. Tier 3 topics rarely appear — just recognize what they do.

Tier 1: Must KnowYou must understand these concepts deeply, know definitions, and be able to apply them in workplace scenarios. These appear across multiple questions.
Tier 2: Should KnowUnderstand what these are and their key characteristics. May appear in 2-5 questions each.
Tier 3: Recognize OnlyKnow what these are at a high level. Rarely more than 1-2 questions each.
Domain 127% of exam

Understand Cybersecurity Concepts

This domain covers foundational cybersecurity knowledge that every business professional should have. You need to understand the shared responsibility model, key security terms and definitions, the benefits of MFA and password managers, and emerging threats like deepfakes. It also tests your understanding of organizational security policies and data-handling standards.

Key Topics

Shared Responsibility ModelMultifactor AuthenticationPassword ManagersEncryptionDeepfakesSoftware UpdatesSecurity Policies

Must-Know Concepts

  • Cybersecurity shared responsibility model: security is not just IT's job — every employee shares responsibility for protecting organizational data and systems
  • Employee security awareness activities: recognizing phishing, reporting suspicious activity, completing security training, following policies, and practicing good password hygiene
  • Accountability practices: understanding your role in protecting data, following policies, and accepting responsibility for security-related actions in your daily work
  • Security and privacy policies applicable to your work tasks, including acceptable use policies, data handling procedures, and privacy expectations
  • Types of data that should NEVER be shared with public AI tools: confidential business data, customer PII, financial records, trade secrets, and internal strategic documents
  • Benefits of password managers: generate strong unique passwords, eliminate password reuse, securely store credentials, and auto-fill login forms
  • MFA benefits: adds a second verification layer so stolen passwords alone cannot compromise accounts. Know the three factor types: knowledge, possession, biometric
  • Business processes that may be targeted by threat actors: financial transactions, vendor payments, executive communications, customer data access, and HR processes
  • Risks of remote work: unsecured home networks, shoulder surfing in public spaces, shared devices, physical document exposure, and distraction-based social engineering
  • Why software updates and security patches are critical: they fix known vulnerabilities that attackers actively exploit. Delaying updates increases risk
  • Impact of security events like ransomware: business disruption, data loss, financial costs, reputational damage, regulatory penalties, and customer trust erosion
  • Key definitions: vulnerability (weakness), threat (potential danger), risk (likelihood and impact), encryption (data protection through encoding), exploit (method to leverage a vulnerability)

Common Exam Traps

The shared responsibility model is NOT just about cloud computing on this exam. It means every employee shares security responsibility with the IT team, regardless of technology
Encryption protects data but does NOT make it impossible to steal. Encrypted data can still be exfiltrated; it just cannot be read without the key
Deepfakes are tested as a DEFINITION question, not a technical question. Know what they are and why they are dangerous, not how they are technically created
Password managers are the RECOMMENDED approach. The exam does not accept 'writing passwords in a notebook' or 'using the same strong password everywhere' as valid alternatives
Software updates should be applied promptly, not delayed indefinitely. 'Wait and see if updates break anything' is not the recommended business user approach on this exam
Quick Check: Understand Cybersecurity Concepts

Question 1 of 3

A project manager receives an email requesting urgent payment to a new vendor account. The email appears to come from the CFO. What should the project manager do FIRST?

Domain 233% of exam

Understand Cybersecurity Risks and Threats

The heaviest domain at 30-35% of the exam. Covers identifying common cybersecurity risks, detecting indicators of malicious activity, evaluating digital communications for legitimacy, and understanding access controls. This domain is scenario-heavy: expect questions presenting workplace situations where you must identify the threat or choose the correct response.

Key Topics

Phishing DetectionSocial EngineeringMalware IndicatorsInsider ThreatsAccess ControlsCommunication Verification

Must-Know Concepts

  • Public Wi-Fi risks: eavesdropping, man-in-the-middle attacks, rogue hotspots, session hijacking. Use VPN when possible and avoid accessing sensitive data on public networks
  • Social engineering techniques: phishing (deceptive messages), pretexting (fabricated scenarios), baiting (enticing offers/items), tailgating (following authorized personnel into secure areas)
  • Malware indicators: unexpected system slowdowns, unusual pop-ups, programs launching without user action, unexplained file changes, disabled security software, unexpected network activity
  • Insider threat indicators: accessing data outside normal job duties, downloading large amounts of data, working unusual hours without justification, expressing dissatisfaction and having access to sensitive systems
  • Abnormal system behavior or infection symptoms: computer running unusually slow, browser redirects, new toolbars or programs appearing, disabled antivirus, files becoming encrypted
  • How to identify suspicious emails: mismatched sender addresses, urgency or fear tactics, unexpected attachments, generic greetings, grammatical errors, requests for credentials or payment
  • How to identify malicious links: hovering to check actual URL, looking for misspelled domains, checking for HTTP vs HTTPS, being wary of shortened URLs
  • Verifying legitimacy of requests: always verify requests for access, payments, or sensitive data through a separate known channel. Never trust the contact information in the suspicious message itself
  • Identifying privacy and security risks in communications: requests for personal information, pressure to bypass normal procedures, unusual urgency, requests to keep actions secret
  • Access controls: limiting access to systems and data based on job role and need-to-know. Principle of least privilege — only grant the minimum access needed to perform a task

Common Exam Traps

Phishing is NOT limited to email. The exam covers phishing via SMS (smishing), voice calls (vishing), and QR codes (quishing). If a question describes a suspicious text message, it is still phishing
Not all insider threats are malicious. Careless or negligent employees who accidentally expose data are also insider threats. The exam tests BOTH intentional and unintentional insider risks
A legitimate-looking email from a known contact can still be phishing. Attackers can spoof email addresses or compromise real accounts. Always verify unexpected requests
Public Wi-Fi is risky even with a password. A coffee shop Wi-Fi with a password is still a public network. The risk comes from shared access, not the absence of a password
Access control questions ask what a BUSINESS USER should do, not what IT should configure. The correct answer is usually 'request access through proper channels' rather than 'configure permissions'
Quick Check: Understand Cybersecurity Risks and Threats

Question 1 of 3

An employee notices their computer is running significantly slower than usual, the antivirus software appears to be disabled, and several unfamiliar programs are listed in the task manager. What is the MOST likely explanation?

Domain 328% of exam

Apply Basic Security Practices to Protect the Organization

This domain tests your ability to apply practical security measures in daily work. Covers device and account security, sensitive data protection through classification and labeling, safe internet and data-handling practices, and backup and recovery fundamentals. Questions focus on what you should DO, not what technology does behind the scenes.

Key Topics

Device SecurityAccount SecuritySensitivity LabelsRights ManagementData HandlingBackup and Recovery

Must-Know Concepts

  • Securing remote and mobile devices: use strong passwords or biometrics, enable MFA, lock screens when stepping away, keep software updated, use VPN on public networks, encrypt device storage
  • Securing workspaces: clean desk policy, locking computer when unattended, securing physical documents, being aware of shoulder surfing, not leaving devices unattended in public
  • Recognizing and classifying sensitive data: understand what makes data sensitive (PII, financial records, health data, trade secrets) and how to identify it in daily work
  • Sensitivity labeling types and when to apply each: Public (approved for external sharing), Internal (for employees only), Confidential (restricted to specific teams), Highly Confidential (strictest controls, need-to-know only)
  • Rights management: controls that restrict copying, printing, forwarding, or editing of protected documents. Understand when and why these restrictions are applied
  • Proper data-handling techniques: collecting only necessary data, using secure transfer methods, storing data in approved locations, following retention schedules, properly destroying data when no longer needed
  • Data lifecycle management: collect, use, transfer, store, retain, and destroy. Know appropriate practices for each phase
  • Ensuring data is backed up: understand why regular backups matter, that backups should be stored separately from primary data, and that backup procedures support incident recovery
  • Basic recovery measures: know what to do when data is lost or a system fails — contact IT, avoid attempting fixes that could worsen the situation, follow organizational recovery procedures

Common Exam Traps

Sensitivity labels are applied by USERS based on content sensitivity, not automatically by the system in all cases. The exam tests whether you know YOUR responsibility to label documents correctly
A strong password alone is NOT sufficient. The exam consistently positions MFA as essential even when strong passwords are used
Backing up data to the same device is NOT a proper backup. Backups must be stored in a separate location to protect against device failure or ransomware
Data destruction does not mean just deleting a file. Proper destruction ensures data cannot be recovered, which may involve specific procedures defined by your organization
When a system issue occurs, the business user answer is usually 'contact IT' or 'follow organizational procedures,' NOT 'troubleshoot it yourself'
Quick Check: Apply Basic Security Practices to Protect the Organization

Question 1 of 3

An employee is preparing a document containing customer financial records for internal review. Which sensitivity label should be applied?

Domain 412% of exam

Report and Respond to Security Incidents

The smallest domain but critical for the exam. Tests your ability to recognize when to report, what information to include, which channels to use, and what immediate actions to take during a data breach. This domain is highly scenario-based: expect questions presenting incidents where you must choose the correct response sequence.

Key Topics

Incident ReportingBreach ResponseEscalation ProceduresReporting Channels

Must-Know Concepts

  • Situations that require reporting: phishing attempts (even if not clicked), lost or stolen devices, unauthorized access to systems or data, suspicious emails or messages, observed policy violations
  • Information to include in a report: date and time of the incident, type of incident (phishing, lost device, unauthorized access), what data or systems were affected, actions already taken, and any evidence preserved
  • Appropriate reporting channels: IT help desk, dedicated incident reporting form, security team email, or phone — use the channel designated by your organization, not personal email or social media
  • Immediate steps when a breach occurs: stop sharing the affected data, disconnect compromised devices from the network, notify IT or the security team immediately, preserve evidence, do not attempt to investigate or fix on your own
  • When escalation is required: sensitive data exposure (PII, financial, health data), ransomware incidents, suspected compromise of executive accounts, any incident that may affect customers or regulatory compliance
  • What NOT to do during an incident: do not try to track down the attacker, do not pay a ransom without authorization, do not delete evidence, do not continue using a compromised system, do not delay reporting

Common Exam Traps

Report phishing attempts EVEN IF you did not click the link. The fact that the phishing email reached your inbox is valuable information for the security team to prevent others from being targeted
A lost device ALWAYS requires reporting, even if it is locked and encrypted. The potential for data exposure exists and must be assessed by the security team
The correct first step in most incident scenarios is to REPORT, not to investigate. Business users should not try to determine the scope or cause of an incident themselves
Disconnecting a compromised device means removing it from the NETWORK (Wi-Fi/Ethernet), not turning it off. Turning it off may destroy forensic evidence
Escalation does not mean going over your manager's head. It means following the organization's defined escalation path, which typically goes from help desk to security team to management
Quick Check: Report and Respond to Security Incidents

Question 1 of 3

An employee receives an email that appears to be phishing but did not click any links or open any attachments. What should they do?

Concepts You Must Not Confuse

These pairs appear on nearly every exam. Learn the difference and you'll avoid the most common traps.

Phishing vs Pretexting

Use Phishing when…

Attacker sends deceptive messages (usually email) impersonating a trusted entity to trick victims into clicking links, downloading attachments, or revealing credentials.

Use Pretexting when…

Attacker creates a fabricated scenario or identity to build trust and manipulate the victim into divulging information or performing actions over time.

Exam trap

Phishing typically uses urgency and impersonation via digital communications. Pretexting involves building a believable backstory and may happen over phone, in person, or across multiple interactions. Both are social engineering, but the approach differs significantly.

Malware vs Ransomware

Use Malware when…

Broad category of malicious software including viruses, worms, trojans, and spyware. Designed to damage systems, steal data, or gain unauthorized access.

Use Ransomware when…

A specific type of malware that encrypts files or locks systems and demands payment for restoration. Focuses on extortion rather than theft or destruction.

Exam trap

All ransomware is malware, but not all malware is ransomware. When a question describes encrypted files with a payment demand, that is ransomware specifically. When it describes system slowdowns, unexpected pop-ups, or unauthorized access, it may be other malware types.

Vulnerability vs Threat

Use Vulnerability when…

A weakness or flaw in a system that COULD be exploited. It exists whether or not anyone exploits it. Examples: unpatched software, weak passwords, misconfigured settings.

Use Threat when…

A potential danger that COULD exploit a vulnerability to cause harm. It is the actor or event that takes advantage of weaknesses. Examples: hackers, malware, natural disasters.

Exam trap

A vulnerability is a WEAKNESS. A threat is the DANGER that exploits it. Risk is the LIKELIHOOD and IMPACT of a threat exploiting a vulnerability. The exam tests whether you can correctly match these three definitions.

Sensitivity Labels vs Rights Management

Use Sensitivity Labels when…

Visual classification tags applied to documents and emails indicating their sensitivity level (Public, Internal, Confidential, Highly Confidential). Guide how data should be handled.

Use Rights Management when…

Technical controls that enforce restrictions on what users can DO with content, such as preventing copying, printing, forwarding, or editing of protected documents.

Exam trap

Sensitivity labels CLASSIFY data and communicate handling requirements. Rights management ENFORCES restrictions on data usage. Labels tell you how sensitive something is; rights management prevents unauthorized actions. They often work together but serve different purposes.

Misinformation vs Disinformation

Use Misinformation when…

False or inaccurate information spread WITHOUT deliberate intent to deceive. The person sharing it may genuinely believe it is true.

Use Disinformation when…

False information deliberately created and spread WITH the intent to deceive, manipulate public opinion, or cause harm.

Exam trap

The INTENT is the key difference. Misinformation is accidental (sharing a false news story thinking it is real). Disinformation is deliberate (creating a deepfake to defraud someone). Both can cause harm, but only disinformation involves malicious intent.

Data Backup vs Data Recovery

Use Data Backup when…

The proactive process of regularly copying data to a separate, secure location to protect against loss from hardware failure, ransomware, accidental deletion, or disasters.

Use Data Recovery when…

The reactive process of restoring data from backups after a loss event has occurred. Depends on having proper backups in place.

Exam trap

Backup is what you do BEFORE an incident (proactive). Recovery is what you do AFTER an incident (reactive). Without proper backups, recovery may be impossible. The exam tests whether you understand the relationship between the two.

SC-730 vs SC-900

Use SC-730 when…

Cybersecurity Business Professional certification for non-technical roles. Tests general cybersecurity awareness, threat recognition, and incident reporting from a business user perspective. Vendor-agnostic.

Use SC-900 when…

Security, Compliance, and Identity Fundamentals certification for IT professionals. Tests Microsoft-specific security products like Defender, Entra ID, and Purview.

Exam trap

SC-730 is vendor-agnostic and asks what a BUSINESS USER should do. SC-900 is Microsoft-specific and asks what the TECHNOLOGY does. If you hold SC-900, you likely know the content but must shift your mindset to answer as a business user, not an IT administrator.

Top Mistakes to Avoid

Answering as an IT administrator instead of a business user — the SC-730 tests what a non-technical employee should do, which is usually 'report to IT' rather than 'investigate and fix'
Confusing vulnerability (a weakness) with threat (a potential danger) with risk (the likelihood and impact of a threat exploiting a vulnerability)
Thinking phishing only happens through email — the exam covers SMS phishing (smishing), voice phishing (vishing), and QR code phishing (quishing)
Assuming a strong password alone is sufficient — the exam consistently positions MFA as essential even when strong passwords are in place
Not reporting a phishing email because you did not click the link — reporting is required regardless because the security team needs to protect other employees
Thinking a lost encrypted device does not need to be reported — all lost or stolen devices must be reported immediately regardless of encryption status
Confusing sensitivity labels with rights management — labels classify data and communicate handling requirements, while rights management enforces restrictions on what users can do with the data
Treating pretexting and phishing as the same thing — phishing uses deceptive digital messages while pretexting builds fabricated scenarios through extended interaction
Believing password-protected public Wi-Fi is secure — a coffee shop Wi-Fi with a password is still a public network with shared access and the same risks
Attempting to self-remediate during a security incident instead of reporting to IT — business users should report, disconnect, and preserve evidence, not investigate or fix

Exam-Ready Checklist

Can define all key cybersecurity terms: vulnerability, threat, risk, exploit, encryption, malware, ransomware, phishing, social engineering
Understand the shared responsibility model and can explain why every employee has cybersecurity responsibilities
Can identify all forms of phishing: email, SMS (smishing), voice (vishing), and QR code (quishing)
Know the three MFA factor types: something you know (password), something you have (phone/token), something you are (biometric)
Can distinguish between social engineering techniques: phishing, pretexting, baiting, and tailgating
Know when and how to apply sensitivity labels: Public, Internal, Confidential, and Highly Confidential
Understand what types of data should never be shared with public AI tools
Can identify common malware infection indicators and insider threat warning signs
Know the correct incident reporting steps: what to report, what information to include, and which channel to use
Understand the correct response to a ransomware attack: disconnect from network, notify IT, do NOT pay ransom or turn off the computer
Can explain the risks of public Wi-Fi and the precautions for remote work (VPN, screen positioning, device locking)
Know the data lifecycle phases: collect, use, transfer, store, retain, destroy — and appropriate practices for each
Scored 75%+ on at least two full mock exams (700/1000 passing score)

Recommended Resources

Free & Official Resources

Paid Courses & Practice Exams

These are recommended if you prefer a structured learning path. They can save time but are not required to pass.

Frequently Asked Questions