As the IT specialist for an occupational health organisation committed to open source which was a directive set by our retiring CEO two decades prior. All staff, including admin, accounts, HR, customer support and medical personnel all utilise Linux. Given our handling of sensitive medical data stringent security is imperative and the CEO demands the highest possible standards.
My role is comprehensive, encompassing all IT functions. The CEO champions open source primarily because It's "free" and configurable.
When we were renewing our phone contracts, I suggested GrapheneOS which was my daily driver OS to the CEO, telling him how secure it was compared to stock Android. As he is a keen hater of Google, Microsoft and all Big Tech he was excited to give our staff GrapheneOS phones. But, this coincided with our pursuit of UK computer security compliance.
Since GrapheneOS's bootloader has a modification and GrapheneOS comes with an unregulated App Store. It instantly rendered us non compliant.
Ironically, a Chinese brand phone suspected of using potential hardware or OS level backdoors would have been fully compliant.
Unfortunately, some security adjustments I made for certification actually compromised our security, but more and more contracts required this compliance certificate.
So this made it unavoidable.
It's all about a pointing to a legal company if something goes wrong.Since it's a legal company it should have paperwork and logs to help track incidents.
GrapheneOS isn't required to have the same documentation or official procedures as a legal business entity is required to have.